iLEAPP and RLEAPP updates and dev thoughts
Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...
Tag Archive
- dfir 127
- infosec 87
- HowTo 64
- Digital Forensics 30
- Discussion 21
- Research 20
- Infosec 16
- Conferences 2012 14
- CTF 14
- Linux 13
- CFP 2015 13
- Conferences 2015 13
- Education 12
- Conferences 2013 12
- REAPERPreview 11
- Magnet 11
- Conferences 2014 10
- REAPER 9
- Encryption 8
- Memory Forensics 7
- CFP 2016 7
- Projects 6
- CFP 2013 6
- programming 6
- tools 6
- CFP 2012 5
- Hashing 5
- anti-forensics 5
- CFP 2014 5
- DFRWS 5
- Password Cracking 5
- Forensic Acquisition 5
- tutorial 5
- Threats 4
- Survey 4
- Law 4
- ICDF2C 4
- CFP 4
- android 4
- linux 4
- golang 4
- course 4
- Digital Crime 3
- Crime 3
- Fuzzy Hashing 3
- Intelligence 3
- Webinar 3
- Thanks! 3
- JDFSL 3
- Cybersecurity 3
- GPG 3
- Conferences 2016 3
- python 3
- digital forensics 3
- research 3
- investigation 3
- mobile 3
- cryptocurrency 3
- Goldfish 2
- Cybercrime Technologies 2
- Categorization 2
- Malware 2
- Live Data Forensics 2
- Cloud Computing 2
- International Communication 2
- Storage 2
- Digital Forensic and Forensic Sciences 2
- Standards 2
- Human Exploitation 2
- Cybercrime 2
- Meetup 2
- SeoulTechSoc 2
- cyberlaw 2
- Data Recovery 2
- ransomware 2
- Digital Investigation 2
- Autopsy 2
- OCR 2
- public awareness 2
- National Security 2
- cybersecurity 2
- incident response 2
- conferences 2018 2
- analysis 2
- autopsy 2
- Q&A 2
- ctf 2
- community 2
- competition 2
- blockchain 2
- supply chain 2
- live data forensics 2
- RAM forensics 2
- livestream 2
- ileapp 2
- privacy policy 1
- OS X 1
- ANT 1
- I18N/L10N 1
- ATOM 1
- Policing 1
- Critical Systems 1
- Formal Methods 1
- Social Media 1
- Perceptual hashing 1
- Computer Vision 1
- Mutual Legal Assistance 1
- BigData 1
- Forensic Challenge 2014 1
- News 1
- Social Engineering 1
- Authentication 1
- javascript 1
- Cyber Warfare 1
- Cyber Conflict 1
- Cyber Safety 1
- PKI 1
- Cryptography 1
- Investigation 1
- Conference 2016 1
- LIFS 1
- honeypot 1
- Network Forensics 1
- dfi 1
- jekyll 1
- blogging 1
- Autopsy 4 1
- The Sleuth Kit 1
- How to 1
- Conferences 1
- Conferences 2017 1
- Optical character recognition 1
- howto 1
- mobile acquisition 1
- Metadata 1
- Bodyfile 1
- timeline 1
- editorial 1
- Public security 1
- Awareness 1
- WannaCry 1
- Ransomware 1
- Opinion 1
- National security 1
- South Korea 1
- Planning 1
- Volatility 1
- How To 1
- Memory analysis 1
- LiME 1
- emergency messaging 1
- emergency response 1
- SMS spam 1
- SMS alerts 1
- Don't do this 1
- ssdeep 1
- fuzzy hashing 1
- File formats 1
- hacking 1
- commentary 1
- Disk Acquisition 1
- Windows 1
- Sleuthkit 1
- disk imaging 1
- file system 1
- optimization 1
- zeltser 1
- knowledge 1
- how to 1
- online course 1
- digital forensic science 1
- automation 1
- telegram 1
- bot 1
- contest 1
- text analysis 1
- image analysis 1
- gImageReader 1
- tesseract ocr 1
- imagemagick 1
- tsurugi 1
- attribution 1
- false flag 1
- review 1
- UNODC 1
- security 1
- computing 1
- boinc 1
- hex 1
- timestamps 1
- twitter 1
- OSINT 1
- privacy 1
- career 1
- news 1
- iphone 1
- dev 1
- iOS 1
- DFIRDev 1
- forensics 1
- bitcoin 1
- Registry 1
- reaction 1
- ALEAPP 1
- cellebrite 1
- RAM 1
- volatility 1
- dfirscience 1
- conferences 1
- oculus 1
- vr 1
- jobs 1
- hardware 1
- walkthrough 1
- Arsenal Recon 1
- hashcat 1
- password cracking 1
- UN 1
- military 1
- Detego 1
- 4Cast 1
- aleapp 1
- development 1
- rleapp 1
dfir
What data can you find in RAM?
To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.
Modular artifact scripts coming to iLEAPP
kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...
Forensic 4:Cast Awards - The real award is DFriends we made along the way
Come hang out with the nominees for the Forensic 4:Cast “Best DFIR Show of the Year”: 13Cubed, I Beg to DFIR, and DFIR Science!
Digital Forensics and the Military - Interview with Andrew Lister
We often talk about digital forensics in criminal and civil investigations, but a lot of innovation happens in military acquisition and investigations. Join ...
Acquire and Analyze Random Access Memory
DFIR Science has launched a new course on learn.dfir.science on how to Collect and Analyze Random Access Memory.
What is Random Access Memory?
Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a compute...
DFIR Science nominated for Forensic 4:cast Award
The DFIR Science YouTube channel was nominated for the 2022 Forensic 4:cast Awards under “DFIR Show of the Year”!
🇺🇳 Africa DFIR CTF 2022 Award Ceremony 🎉
Huge DFIR stream with a lot of Q&A. Check out the chapter times below!
Fast password cracking - Hashcat wordlists from RAM
Password cracking often takes a long time. Brute force is normally your last option. But before that, a wordlist usually helps guess the password faster.
Linux LVM Ext4 Support in Windows with Arsenal Image Mounter
Previously we showed how to access a Linux Logical Volume Manager partition inside a forensic disk image. We were looking for a way to access the LVM partiti...
Mounting Linux Logical Volumes in Forensic Disk Images
Linux supports Logical Volume Management, which assists in managing partition features such as resizing and encryption. However, many forensic tools cannot d...
Linux Forensics on Linux - Cyber5W CTF Walkthrough
Cyber5W released a Mini Linux DFIR CTF based on the Magnet Summit 2022 live CTF. It is doable if you are new to Linux investigations. A few questions are on ...
Tableau External Write Blocker Setup and Forensic Imaging Walkthrough
Forensic write blockers prevent the forensic workstation from modifying the source disk. Physical write blockers physically prevent write commands from being...
Oculus Quest 2 First Impressions and Research Notes
Recently the DFIR Community Hardware Fund purchased a Meta Oculus Quest 2 VR headset. Unboxing and device images can be found here. I finally had time to set...
Getting started in DFIR: Conferences and Workshops
Ever wonder how to be accepted to a conference? Today we talk about different types of tech conferences, and how to get started both attending and giving pre...
Introduction to Memory Forensics with Volatility 3
Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems...
Data Artifacts, Analysis Results, and Reporting in Autopsy
This is a mini-course on Autopsy. See chapter times below. You might want to watch Part 1 first - Starting a new case in Autopsy: https://youtu.be/fEqx0MeCCHg
DFIR Community Hardware Fund
A few days ago, Alexis Brignoni posted a tweet about the increased usage of the Meta Quest 2 hardware. It’s one of many devices that digital investigators wi...
Starting a New Digital Forensic Investigation Case in Autopsy
This is a mini-course on Autopsy. You might want to see the description on YouTube for chapter links.
A more efficient NSRL for digital forensics
A few days ago, Hexacorn released a blog post taking a look at the NSRL RDS hash set. I’m a total fan of hash sets. I think they are one of the easiest ways ...
DFIR filesystem POSIX gotcha - process from archives directly
I worked on the converter UFDR2DIR and ran into some weird bugs. I coded on Linux and had no trouble reconstructing Android and iOS device dumps paths. But W...
Convert UFDR to DIR
In a prior post we tested parsing a Cellebrite Reader UFDR file directly with ALEAPP. Although ALEAPP could process the file if we renamed it with a .zip ext...
Is there a difference between Digital Forensic Investigation Method and Digital Forensic Technique?
I received a great question on our YouTube channel. Edited for clarity.
How to extract files from Cellebrite Reader UFDR for ALEAPP or iLEAPP
Sometimes you are presented with odd file types from forensic tools. These odd file types are often related to forensic disk images or other containers.
Digital Forensic Scientist Reacts: Criminal Minds S01E01 - Extreme Aggressor
Writing a drama is difficult. Getting the digital forensic procedure right is more complicated. A digital forensic scientist reacts to Criminal Minds Season ...
Intro to Windows Registry Artifact Analysis - TryHackMe Walkthrough
TryHackMe recently released a room dedicated to Windows Forensics! We do a walkthrough of the TryHackMe WindowsForensics1 room and learn all about the Window...
Bitcoin forensics - visualizing blockchain transactions with Maltego
Cryptocurrency investigations - like Bitcoin forensics - usually involve blockchain transaction analysis. You can use blockchain.com Explorer to look up Bitc...
Bitcoin Investigation and Wallet Seizure
Bitcoin investigation - and cryptocurrency investigations in general - benefit from access to a transparent ledger system - or blockchain - that investigator...
Cryptocurrency Investigation - Blockchain Basics
Cryptocurrency investigation is much like other forms of financial crime investigation. Find transactions, find accounts and tie accounts to a real person. C...
iPhone forensics with Linux command line and bplister
iPhone (iOS) forensics is somewhat complicated by difficult data structures in the device. However, it is possible to do a quick iPhone investigation with ba...
Fast Software Prototyping in Python - iLEAPP module example
When adding code to a large project, like the iPhone forensic triage software iLEAPP, re-running the software over and over again to test your module can bec...
Fast iPhone forensic analysis with iLEAPP
iPhone forensic analysis can be complicated, but sometimes you need to quickly access some of the most common information. iOS Logs, Events, And Plists Parse...
How to add artifacts to ALEAPP
The Android Logs Events And Protobuf Parser (ALEAPP) is a fast triage tool for Android forensic processing. ALEAPP is relatively modular in design, and it is...
What job opportunities does digital forensics give me?
A question from a postgrad student about what they can do with a degree in digital forensics. What’s possible? Where to start?
Is this the fastest way to analyze Android?
Android forensics can take a long time to process. But if you just need a quick overview of the most common artifacts, check out the Android Logs Events And ...
WIN $100 and PRIZES - November DFIR Dev
Welcome everyone to the November DFIR Dev competition!
Android logical acquisition with android_triage
In this video, we look at the android_triage utility that helps with fast android logical acquisitions. It uses the Android Debug Bridge (adb) to connect to ...
searchScreenshots - find screenshots in a disk image
In our first live stream we looked at the Tsurugi Linux utility “searchScreenshots”. It’s a useful tool, but we can make it better! There were a few features...
Getting Started with Bento Digital Forensics Toolkit
The Bento Digital Forensics toolkit is an easy way to manage forensic tools locally or create a live response toolkit to take on-scene. Bento 2021.9 brings m...
What is an AD1?
Many people come across AD1 files during digital investigations and have trouble extracting the data they contain. See how to process an AD1 file with Access...
Use GitHub to get started in the DFIR community
Wondering where to start in the digital forensics (DFIR) community? Many projects and resources are hosted on GitHub, which allows you to easily participate....
Magnet CTF Week 12 - Registry update analysis
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 11 - DNS Cache Analysis… sort of
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 10 - Network analysis in RAM
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 9 - Digging through memory
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 8 - Persistence in plain sight
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Downloading and adding NSRL hash sets to Autopsy
Hello Jerry, They don’t make it very easy for some reason. This is the link to the download page with all hashsets. https://www.nist.gov/itl/ssd/software-qua...
Magnet CTF Week 7 - Hadoop Node Networking
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 6 - Riddle ELFs
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 5 - HDFS around the block
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 4 - GUIDSWAP and drop
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Q&A: GPS Coordinates in EXIF Data
I was just watching your video 8.3 about Autopsy, and specifically about the JPG EXIF metadata.
Custom artifact creation
Last Wednesday, I woke up to the news that my custom (Magnet) artifact submission for Solid Explorer 2 was accepted. It’s exciting because I’d never created ...
Magnet CTF Week 3 - The case of the spoiled S. Cargo
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 2 - URLs in Pictures in Pictures
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
HFS+ Header trivia
In the wee hours of Friday night, just as I was tucked in and toasty, Magnet Weekly CTF dropped a 10 point trivia question. I jumped to answer it like a kid ...
Get top tweeting usernames based on hashtag
I was thinking about the Magnet Weekly Forensics CTF Challenge. There are a few ways to get points: answering the CTF question, trivia, and posting on social...
Magnet CTF Week 1 - Timestamps of doom
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Hex editors and data structures
A student sent a question about hex editors. Hex editors are often used in forensics to view and analyze data. Viewing data in hexadecimal (hex) instead of r...
Detecting manual clock modifications
I received a question from an aspiring forensic investigator taking the Intro to Digital Forensics course.
Learn Python Programming
Programming is a useful skill for digital investigators. Not only does programming let you automate your investigation process, but it also helps build a bet...
Notes on Installing an Autopsy Multi-user Cluster
Note: This is just initial notes to get an autopsy multi-user cluster working. In my setup Autopsy is installed on Linux, and the servers are Linux-based. So...
General overview of investigation process
Many people that begin learning digital investigation, especially formally, seem to learn technical issues before the criminal investigation procedure. The p...
CFP UNODC E4J Conference Access to Justice to End Violence
Call for Papers for the UNODC E4J international academic conference on Access to Justice to End Violence.
ICDF2C 2020 @Boston Call for Papers
ICDF2C brings together researchers and practitioners in order to scientifically address the numerous challenges due to the rapid increase in the amount and v...
Attribution in investigations and false flag operations
Jake Williams gave a talk about false flag operations at Black Hat Europe 2019. I’ve talked before about organizations being either lazy or political with cy...
Tsurugi Linux for Digital Forensics - Download and verify
Tsurugi Linux is a DFIR Linux distribution by Backtrack and Deft Linux veterans. I loved DEFT, and was excited to see what the Tsurugi team had planned. This...
Research 101: How to do research in digital forensics
Digital forensic science includes many areas of study. Gaining a background in every relevant area is difficult, if not impossible. However, all knowledge in...
DFIR already has Rapid Peer Review - we can do better
Introduction Over the last few weeks Brett Shavers has been discussing how to publish DFIR research in a better way. I’ve been thinking about this from the a...
Re: Publish your #DFIR research!
This is a reply or further discussion to @Brett_Shavers post Publish your #DFIR Research.
Cybersecurity Revolution Conference 2018: Lessons learned
Last Friday was the Cybersecurity Revolution conference. The idea for the conference came from my friend at Serene-Risc. The concept was something similar to...
Linking Organized Crime and Cybercrime
The Linking Organized Crime and Cybercrime conference starts in 3 days! (June 7th and 8th)
Testing File Systems for Digital Forensic Imaging
Introduction - the problem Recently I’ve been doing a lot of large disk forensic imaging. I usually use Linux-based systems for forensic imaging. A normal ca...
How to enable SSH on a headless Rasberry Pi - Raspbian
Raspberry Pis are great for all sorts of information security related projects. They come with HDMI and USB ports, so it is easy to connect monitors and keyb...
ICDF2C 2018 Extended Call for Papers
Extended to May 14th, 2018 See more information at http://d-forensics.org/
[CFP] 11th International Workshop on Digital Forensics
WSDF 2018 - CALL FOR PAPERS Where: Hamburg Germany
Getting started in Digital Forensics
A lot of people have asked how to get started with digital forensics. It’s great that so many people from so many different places are interested. There are ...
EWF Tools: working with Expert Witness Files in Linux
Expert Witness Format (EWF) files, often saved with an E01 extension, are very common in digital investigations. Many forensic tools support E01 files, but m...
Changing Domain to DFIR.Science
CybercrimeTech started as a dfir notes blog during my Masters at University College Dublin. I wasn’t sure what it would turn into, and thought the name was g...
Password Cracking Test Data
Here are some files to test your password cracking skills. All of them can be done in less than a few hours with CPU-based cracking. You can download the fil...
[How To] Fuzzy Hashing with SSDEEP (similarity matching)
SSDEEP is a fuzzy hashing tool written by Jesse Kornblum. There is quite a bit of work about similarity hashing and comparisons with other methods. The mains...
[How To] Volatility Memory Analysis Building Linux Kernel Profiles
Memory foreniscs in Linux is not very easy. The reason is because the Linux kernel changes data structures and debug symbols often. Users can also easily mod...
Using Autopsy 4 to export file metadata
Autopsy 4 is a very powerful digital forensic investigation tool. Today, we are going to extract file and meta-data from a disk image (mobile phone) to use i...
Imaging Android with ADB, Root, Netcat and DD
Today we are going to acquire an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd. The system I am using is Ubuntu linux....
[How to] Using Tesseract-OCR to extract text from images
I recently found a tutorial on tesseract-ocr. I used tesseract a few years ago without much luck, but this time it was extremely easy.
[CFP] WSDF 2017 - extended deadline
Submission Deadline Extended to May 1st, 2017
How To - Introduction to Autopsy for Digital Forensics
Autopsy is a free, open source digital forensic tool that supports a wide range of add-on modules. Available APIs allow an investigator to easily create thei...
[How To] Digital Forensic Memory Analysis - Volatility
This week we will begin with a very basic introduction into the memory analysis framework Volatility. We will use volatility to collect information about a m...
What I’m Reading - Robust bootstrapping memory analysis against anti forensics
Today we are talking about ‘Robust bootstrapping memory analysis against anti-forensics’ by Lee Kyoungho, Hwang Hyunuk, Kim Kibom and Noh BongNam. This paper...
[How To] Digital Forensic Memory Analysis - strings, grep and photorec
This week we will show how to use basic data processing tools strings, grep and photorec to start an analysis of a Random Access Memory (RAM) image, even if ...
What I’m Reading - A functional reference model of passive systems for tracing network traffic
What I’m Reading: Today we are talking about ‘A functional reference model of passive systems for tracing network traffic’ by Thomas E. Daniels. This paper d...
How To - Forensic Memory Acquisition in Linux with LiME
This week we will be using LiME to acquire a memory image in a suspect Linux system. LiME is a loadable kernel module that needs to be compiled based on the ...
[How To] Forensic Data Recovery in Linux - tsk_recover
This week we will talk about The Sleuth Kit, and specifically the tool tsk_recover. tsk_recover is a useful tool for allocated and unallocated file recovery....
[How To] Forensic Data Recovery in Windows - Photorec
This week we will show how to use Photorec to recover data form a suspect disk image. Photorec supports the recovery of many different file types, but we wil...
Warning to Forensic Investigators: USB KILLER
This single is informational for digital forensic investigators and first responders. Be aware of the ‘USB Killer’. Very basically, it’s a USB device that co...
[How To] Forensic Acquisition in Windows - FTK Imager
In this video we show how to do a forensic acquisition of a suspect disk using FTK Imager in Windows.<div class="separator" style="clear: both; text-align...
Paid Graduate Positions Available: Digital Investigations in Internet of Things
The Legal Informatics and Forensic Science (LIFS) Institute in the College of International Studies at Hallym University, South Korea, currently has openings...
사물인터넷(IoT) 디지털 수사 관련 전액장학금 지원 석/박사 직위 공모
한림대학교 국제학부의 정보법과학전공에서는 현재 석사, 박사, 그리고 박사후과정생을 대상으로 정규직 연구원을 모집하고 있습니다. 해당 직위는 사물인터넷(IoT) 디지털 포렌식 수사에 관련된 연구를 담당하므로, 다음과 같은 자격을 요합니다. <ul><li>프로그래...
[How To] Forensic Acquisition in Linux - Guymager
This video shows how to acquire a forensic disk image of a suspect device in Linux using Guymager. Guymager is an extremely fast digital forensic imaging too...
[How To] Forensic Acquisition in Linux - DCFLDD
This video shows how to use DCFLDD to acquire a disk image from a suspect device in the Linux command line. DCFLDD is an expanded version of ‘dd’ that suppor...
[How To] Forensic Data Acquisition - Hardware Write Blockers
In this video we will show external write-blockers and describe how they are used to prevent writing data to suspect devices. We will talk about bottlenecks ...
[How To] Copy a disk image to a physical hard drive using DD
In this video we show how to copy a disk image to a physical hard drive using DD in Linux. This is useful for working with live disk images (Linux live CDs),...
[How to] Create and verify a multi-part disk image with FTK Imager
This video shows how to make a disk image using FTK Imager on a Windows system.FTK Imager is an easy to use tool for copying data from suspect disks, and has...
[CFP] Digital Investigation: Special Issue on Volatile Memory Analysis
Digital Investigation: Special Issue on Volatile Memory Analysis Deadline for submissions is 31 August 2016. Memory analysis is a hot research topic with wid...
[CFP] CLOUDFOR extended submission deadline
<pre wrap=”>CLOUDFOR 2016: Workshop on Cloud ForensicsIn conjunction with the 9th IEEE/ACM International Conference on Utility and Cloud Computing (UCC...
No Starch Press Hacking and Security books deal
Humble Bundle and No Starch Press are offering a charity deal on hacking and security books. For 15$ or more you can get 13 books! Check out the deal here: h...
[CFP] JDFSL Special issue on Cyberharassment Investigation: Advances and Trends
JDFSL Special issue on Cyberharassment Investigation: Advances and Trends. Anecdotal evidence indicates that cyber harassment is becoming more prevalent as ...
ICDF2C 2015 in Seoul, South Korea Final Program Now Available
The 7th EAI International Conference on Digital Forensics & Cyber Crime will be held OCTOBER 6–8, 2015 in SEOUL, SOUTH KOREA.The final program is now ava...
[Webinar] EnCase & Python – Extending Your Investigative Capabilities
<pre wrap=”>EnCase & Python – Extending Your Investigative CapabilitiesDate: Wednesday September 9th, 2015 Time: 11:00am PDT / 2:00pm EDT / 7:00pm ...
ICDF2C Revised Draft Program Released
7th International Conference on Digital Forensics and Cyber Crime (ICDF2C) updated program is now available here: http://bit.ly/1LsJpvM<div class="separat...
ICDF2C and SeoulTechSoc Call for Essays on Information Security
ICDF2C and Seoul Tech Society Essay Contest Have you ever surfed the Dark Web? Are you worried about the security of your virtual property? Technology is cha...
Webinar: Tackle the Legal Issues of Obtaining Digital Evidence in the Cloud
Webinar: Tackle the Legal Issues of Obtaining Digital Evidence in the Cloud Cost: FreeDate: Wed August 12th, 2015Time: 08:00am UTC / 10:00am CEST / 4:00pm AW...
Revisiting REAPER: Automating digital forensic investigations
The Rapid Evidence Acquisition Project for Event Reconstruction [1] was one of the first projects that I worked on during my PhD. It started around 2008, whe...
Child Exploitation Forensic Tool: NuDetective
I met some Brazilian Law Enforcement at the 2014 World Forensic Festival. They were talking about Child Online Exploitation in Brazil, and a tool they develo...
[CFP] ICDF2C 2015
Call for papers for the 7th International Conference on Digital Forensics and Cyber Crime (ICDF2C) Conferece Dates: October 6 - 8, 2015 Location: Seoul, Sou...
[How To] Installing LIBEWF in Ubuntu Trusty
Installing LIBEWF is normally straightforward. Usually the most difficult part is remembering which packages are required for the dependencies. When running ...
[Hash sets] Korea University DFRC Reference Data Set
If you work in the area of digital investigation, you probably know about NIST’s National Software Reference Library (NSRL). <blockquote>The National S...
Indicators of Anti-Forensics
Project: Indicators of Anti-Forensics (IoAF)Purpose: Digital forensic triage for anti-forensic activitiesStatus: ActiveLicense: GNU GPLv3Developer(s): KITRI’...
[BoB] Anti Forensics Techniques and eForensics Mag
<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></div>As a mentor with KITRI’s “Best of the Best v2.0” information...
[BoB] Indicators of Anti-Forensics Investigator Survey (Korean)
The following survey results are from Korean Digital Forensic Investigators concerning the use of anti-forensics observed in their investigations. This surve...
Convert EnCase hash sets to md5sum
I managed to get a hold of a list of known-bad hashes to use in an experiment. The hashes, however, were in EnCase “.hash” format.<div></div><...
Signature Based Detection of User Events for Post-Mortem Forensic Analysis
As seen on DigitalFIRE<div><div class="separator" style="clear: both; text-align: center;"></div>The concept of signatures is used in many ...
Forensic Acquisition of a Virtual Machine with Access to the Host
Someone recently asked about an easy way to create a RAW image of virtual machine (VM) disks, so here is a quick how-to.<div class="separator" style="clea...
infosec
iLEAPP and RLEAPP updates and dev thoughts
Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...
What data can you find in RAM?
To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.
Modular artifact scripts coming to iLEAPP
kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...
Forensic 4:Cast Awards - The real award is DFriends we made along the way
Come hang out with the nominees for the Forensic 4:Cast “Best DFIR Show of the Year”: 13Cubed, I Beg to DFIR, and DFIR Science!
Digital Forensics and the Military - Interview with Andrew Lister
We often talk about digital forensics in criminal and civil investigations, but a lot of innovation happens in military acquisition and investigations. Join ...
Acquire and Analyze Random Access Memory
DFIR Science has launched a new course on learn.dfir.science on how to Collect and Analyze Random Access Memory.
What is Random Access Memory?
Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a compute...
DFIR Science nominated for Forensic 4:cast Award
The DFIR Science YouTube channel was nominated for the 2022 Forensic 4:cast Awards under “DFIR Show of the Year”!
🇺🇳 Africa DFIR CTF 2022 Award Ceremony 🎉
Huge DFIR stream with a lot of Q&A. Check out the chapter times below!
Fast password cracking - Hashcat wordlists from RAM
Password cracking often takes a long time. Brute force is normally your last option. But before that, a wordlist usually helps guess the password faster.
Linux LVM Ext4 Support in Windows with Arsenal Image Mounter
Previously we showed how to access a Linux Logical Volume Manager partition inside a forensic disk image. We were looking for a way to access the LVM partiti...
Mounting Linux Logical Volumes in Forensic Disk Images
Linux supports Logical Volume Management, which assists in managing partition features such as resizing and encryption. However, many forensic tools cannot d...
Linux Forensics on Linux - Cyber5W CTF Walkthrough
Cyber5W released a Mini Linux DFIR CTF based on the Magnet Summit 2022 live CTF. It is doable if you are new to Linux investigations. A few questions are on ...
Tableau External Write Blocker Setup and Forensic Imaging Walkthrough
Forensic write blockers prevent the forensic workstation from modifying the source disk. Physical write blockers physically prevent write commands from being...
Oculus Quest 2 First Impressions and Research Notes
Recently the DFIR Community Hardware Fund purchased a Meta Oculus Quest 2 VR headset. Unboxing and device images can be found here. I finally had time to set...
Getting started in DFIR: Conferences and Workshops
Ever wonder how to be accepted to a conference? Today we talk about different types of tech conferences, and how to get started both attending and giving pre...
Introduction to Memory Forensics with Volatility 3
Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems...
Data Artifacts, Analysis Results, and Reporting in Autopsy
This is a mini-course on Autopsy. See chapter times below. You might want to watch Part 1 first - Starting a new case in Autopsy: https://youtu.be/fEqx0MeCCHg
Starting a New Digital Forensic Investigation Case in Autopsy
This is a mini-course on Autopsy. You might want to see the description on YouTube for chapter links.
A more efficient NSRL for digital forensics
A few days ago, Hexacorn released a blog post taking a look at the NSRL RDS hash set. I’m a total fan of hash sets. I think they are one of the easiest ways ...
DFIR filesystem POSIX gotcha - process from archives directly
I worked on the converter UFDR2DIR and ran into some weird bugs. I coded on Linux and had no trouble reconstructing Android and iOS device dumps paths. But W...
Is there a difference between Digital Forensic Investigation Method and Digital Forensic Technique?
I received a great question on our YouTube channel. Edited for clarity.
Intro to Windows Registry Artifact Analysis - TryHackMe Walkthrough
TryHackMe recently released a room dedicated to Windows Forensics! We do a walkthrough of the TryHackMe WindowsForensics1 room and learn all about the Window...
Software supply chain and vulnerability assessment with syft and grype
Software supply chain vulnerabilities have resulted in large-scale attacks in recent years. Understanding the supply chain in an organization is difficult si...
Log4j vulnerability, supply chain attacks and SBOMs
The logging software Log4j was recently found to have an injection vulnerability that allowed remote code execution (RCE) among other vectors of attack. The ...
iPhone forensics with Linux command line and bplister
iPhone (iOS) forensics is somewhat complicated by difficult data structures in the device. However, it is possible to do a quick iPhone investigation with ba...
Fast Software Prototyping in Python - iLEAPP module example
When adding code to a large project, like the iPhone forensic triage software iLEAPP, re-running the software over and over again to test your module can bec...
7 Million Records Lost in Robinhood Security Breach
Robinhood - a stock trading application - recently revealed a data breach that resulted in the loss of approximately 7 million user records. Most of these we...
How to add artifacts to ALEAPP
The Android Logs Events And Protobuf Parser (ALEAPP) is a fast triage tool for Android forensic processing. ALEAPP is relatively modular in design, and it is...
Is this the fastest way to analyze Android?
Android forensics can take a long time to process. But if you just need a quick overview of the most common artifacts, check out the Android Logs Events And ...
Android logical acquisition with android_triage
In this video, we look at the android_triage utility that helps with fast android logical acquisitions. It uses the Android Debug Bridge (adb) to connect to ...
searchScreenshots - find screenshots in a disk image
In our first live stream we looked at the Tsurugi Linux utility “searchScreenshots”. It’s a useful tool, but we can make it better! There were a few features...
Amazon AWS EC2 Forensic Memory Acquisition - LiME
EC2 Forensics can use many of the same tools and techniques as computer forensics. Usually, just with the addition of networking concepts. In this video, we ...
Getting Started with Bento Digital Forensics Toolkit
The Bento Digital Forensics toolkit is an easy way to manage forensic tools locally or create a live response toolkit to take on-scene. Bento 2021.9 brings m...
What is an AD1?
Many people come across AD1 files during digital investigations and have trouble extracting the data they contain. See how to process an AD1 file with Access...
Is Protonmail Broken?
Security-focused email provider ProtonMail was found to provide the IP address of a French activist to Swiss authorities. This is despite the fact that Proto...
Use GitHub to get started in the DFIR community
Wondering where to start in the digital forensics (DFIR) community? Many projects and resources are hosted on GitHub, which allows you to easily participate....
Magnet CTF Week 12 - Registry update analysis
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 11 - DNS Cache Analysis… sort of
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 10 - Network analysis in RAM
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 9 - Digging through memory
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 8 - Persistence in plain sight
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Downloading and adding NSRL hash sets to Autopsy
Hello Jerry, They don’t make it very easy for some reason. This is the link to the download page with all hashsets. https://www.nist.gov/itl/ssd/software-qua...
Magnet CTF Week 7 - Hadoop Node Networking
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 6 - Riddle ELFs
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 5 - HDFS around the block
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 4 - GUIDSWAP and drop
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Q&A: GPS Coordinates in EXIF Data
I was just watching your video 8.3 about Autopsy, and specifically about the JPG EXIF metadata.
Custom artifact creation
Last Wednesday, I woke up to the news that my custom (Magnet) artifact submission for Solid Explorer 2 was accepted. It’s exciting because I’d never created ...
Magnet CTF Week 3 - The case of the spoiled S. Cargo
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 2 - URLs in Pictures in Pictures
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
HFS+ Header trivia
In the wee hours of Friday night, just as I was tucked in and toasty, Magnet Weekly CTF dropped a 10 point trivia question. I jumped to answer it like a kid ...
Get top tweeting usernames based on hashtag
I was thinking about the Magnet Weekly Forensics CTF Challenge. There are a few ways to get points: answering the CTF question, trivia, and posting on social...
Magnet CTF Week 1 - Timestamps of doom
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Hex editors and data structures
A student sent a question about hex editors. Hex editors are often used in forensics to view and analyze data. Viewing data in hexadecimal (hex) instead of r...
Detecting manual clock modifications
I received a question from an aspiring forensic investigator taking the Intro to Digital Forensics course.
Learn Python Programming
Programming is a useful skill for digital investigators. Not only does programming let you automate your investigation process, but it also helps build a bet...
Notes on Installing an Autopsy Multi-user Cluster
Note: This is just initial notes to get an autopsy multi-user cluster working. In my setup Autopsy is installed on Linux, and the servers are Linux-based. So...
General overview of investigation process
Many people that begin learning digital investigation, especially formally, seem to learn technical issues before the criminal investigation procedure. The p...
CFP UNODC E4J Conference Access to Justice to End Violence
Call for Papers for the UNODC E4J international academic conference on Access to Justice to End Violence.
ICDF2C 2020 @Boston Call for Papers
ICDF2C brings together researchers and practitioners in order to scientifically address the numerous challenges due to the rapid increase in the amount and v...
Attribution in investigations and false flag operations
Jake Williams gave a talk about false flag operations at Black Hat Europe 2019. I’ve talked before about organizations being either lazy or political with cy...
Tsurugi Linux for Digital Forensics - Download and verify
Tsurugi Linux is a DFIR Linux distribution by Backtrack and Deft Linux veterans. I loved DEFT, and was excited to see what the Tsurugi team had planned. This...
Research 101: How to do research in digital forensics
Digital forensic science includes many areas of study. Gaining a background in every relevant area is difficult, if not impossible. However, all knowledge in...
DFIR already has Rapid Peer Review - we can do better
Introduction Over the last few weeks Brett Shavers has been discussing how to publish DFIR research in a better way. I’ve been thinking about this from the a...
Re: Publish your #DFIR research!
This is a reply or further discussion to @Brett_Shavers post Publish your #DFIR Research.
Cybersecurity Revolution Conference 2018: Lessons learned
Last Friday was the Cybersecurity Revolution conference. The idea for the conference came from my friend at Serene-Risc. The concept was something similar to...
Linking Organized Crime and Cybercrime
The Linking Organized Crime and Cybercrime conference starts in 3 days! (June 7th and 8th)
Testing File Systems for Digital Forensic Imaging
Introduction - the problem Recently I’ve been doing a lot of large disk forensic imaging. I usually use Linux-based systems for forensic imaging. A normal ca...
How to enable SSH on a headless Rasberry Pi - Raspbian
Raspberry Pis are great for all sorts of information security related projects. They come with HDMI and USB ports, so it is easy to connect monitors and keyb...
ICDF2C 2018 Extended Call for Papers
Extended to May 14th, 2018 See more information at http://d-forensics.org/
[CFP] 11th International Workshop on Digital Forensics
WSDF 2018 - CALL FOR PAPERS Where: Hamburg Germany
Getting started in Digital Forensics
A lot of people have asked how to get started with digital forensics. It’s great that so many people from so many different places are interested. There are ...
EWF Tools: working with Expert Witness Files in Linux
Expert Witness Format (EWF) files, often saved with an E01 extension, are very common in digital investigations. Many forensic tools support E01 files, but m...
A comment on Applebys reaction to the Paradise Papers
Today the International Consortium of Investigative Journalists (ICIJ) released “The Paradise Papers.” These look to be a massive collection of documents re...
Password Cracking Test Data
Here are some files to test your password cracking skills. All of them can be done in less than a few hours with CPU-based cracking. You can download the fil...
[How To] Fuzzy Hashing with SSDEEP (similarity matching)
SSDEEP is a fuzzy hashing tool written by Jesse Kornblum. There is quite a bit of work about similarity hashing and comparisons with other methods. The mains...
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
[How To] Volatility Memory Analysis Building Linux Kernel Profiles
Memory foreniscs in Linux is not very easy. The reason is because the Linux kernel changes data structures and debug symbols often. Users can also easily mod...
Korean National Security Includes Cybersecurity
Opinion originally posted by Korea Times as Letters to President Moon
When National Security Turns Against You
Opinion originally published by Korea Times
Ransomware and How to Protect Yourself
Originally Published in Korean at NewsTapa.org
Using Autopsy 4 to export file metadata
Autopsy 4 is a very powerful digital forensic investigation tool. Today, we are going to extract file and meta-data from a disk image (mobile phone) to use i...
Imaging Android with ADB, Root, Netcat and DD
Today we are going to acquire an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd. The system I am using is Ubuntu linux....
[CFP] WSDF 2017 - extended deadline
Submission Deadline Extended to May 1st, 2017
HowTo
[How to] Using Tesseract-OCR to extract text from images
I recently found a tutorial on tesseract-ocr. I used tesseract a few years ago without much luck, but this time it was extremely easy.
[How to] GPG and Signing Data
GNU Privacy Guard (GPG) uses public and private keys to secure communications (public-key cryptography). Many people use it to encrypt their email or other d...
[How to] Beginner Introduction to The Sleuth Kit (command line)
Today we will give a beginner-level introduction to The Sleuth Kit from command line. If this video is helpful, I highly recommend reading The Law Enforcemen...
[How to] Installing and updating Linux in Virtualbox
Today we are going to install and update a Debian-based operating system in VirtualBox as a guest operating system.The first video goes through creating a vi...
[How To] Digital Forensic Memory Analysis - Volatility
This week we will begin with a very basic introduction into the memory analysis framework Volatility. We will use volatility to collect information about a m...
[How To] Digital Forensic Memory Analysis - strings, grep and photorec
This week we will show how to use basic data processing tools strings, grep and photorec to start an analysis of a Random Access Memory (RAM) image, even if ...
How To - Forensic Memory Acquisition in Linux with LiME
This week we will be using LiME to acquire a memory image in a suspect Linux system. LiME is a loadable kernel module that needs to be compiled based on the ...
[How To] Forensic Data Recovery in Linux - tsk_recover
This week we will talk about The Sleuth Kit, and specifically the tool tsk_recover. tsk_recover is a useful tool for allocated and unallocated file recovery....
[How To] Forensic Data Recovery in Windows - Photorec
This week we will show how to use Photorec to recover data form a suspect disk image. Photorec supports the recovery of many different file types, but we wil...
[How To] Forensic Acquisition in Windows - FTK Imager
In this video we show how to do a forensic acquisition of a suspect disk using FTK Imager in Windows.<div class="separator" style="clear: both; text-align...
[How To] Forensic Acquisition in Linux - Guymager
This video shows how to acquire a forensic disk image of a suspect device in Linux using Guymager. Guymager is an extremely fast digital forensic imaging too...
[How To] Forensic Acquisition in Linux - DCFLDD
This video shows how to use DCFLDD to acquire a disk image from a suspect device in the Linux command line. DCFLDD is an expanded version of ‘dd’ that suppor...
[How To] Forensic Data Acquisition - Hardware Write Blockers
In this video we will show external write-blockers and describe how they are used to prevent writing data to suspect devices. We will talk about bottlenecks ...
[How To] Copy a disk image to a physical hard drive using DD
In this video we show how to copy a disk image to a physical hard drive using DD in Linux. This is useful for working with live disk images (Linux live CDs),...
[How to] Create and verify a multi-part disk image with FTK Imager
This video shows how to make a disk image using FTK Imager on a Windows system.FTK Imager is an easy to use tool for copying data from suspect disks, and has...
[How-to] Load a multi-part disk image into FTK Imager
When working with multi-part disk images, it can be confusing to see if your tool has loaded all of the image or just a part. Below is one way to determine i...
How to print a double-side PDF booklet with a single-side printer
I only very rarely need to print something. However, printing things like grade reports and student schedules can come in handy. Since we don’t have a commun...
[How-To] Installing thc Hydra in Ubuntu
The steps below are how to easily install thc Hydra in Ubuntu with the majority of required libraries for common tasks. Hydra is a pretty well-known remote a...
[How-To] Using GnuPG to verify data using detached signatures
Many software downloads come with a signature file. You normally need to download this signature file separately. Signatures are a great way to let people ...
Clearing USB disk read cache for testing and forensics in Linux
When copying data from USB devices in Linux (Debian / Ubuntu), you may have noticed that reading data from the disk the first time takes a while, and readin...
Modifying Javascript Variables Real Time with Chrome aka AdBlock Detection Subversion
Sometimes you may want to see what scripts a website is trying to run on your system. Other times you may want to be able to not only watch, but also modify ...
John the Ripper shared library error path fix on Linux
If you are using John the Ripper with CUDA, and you start to see errors like:<blockquote class="tr_bq">./unshadow: error while loading shared libraries...
Attacking Zip File Passwords from the Command Line
There was recently a question on SuperUser linking back to CybercrimeTech’s article about cracking passwords, with an issue about zip files using ZipCrypto, ...
[How To] Installing LIBEWF in Ubuntu Trusty
Installing LIBEWF is normally straightforward. Usually the most difficult part is remembering which packages are required for the dependencies. When running ...
[How To] Easy Install TexStudio on Ubuntu
I mess around with the internals of my operating systems a lot. This means that every few months I need to re-install my operating system, which, lately, is ...
[How to] Brute forcing password cracking devices (LUKS)
We have written in the past about how to crack passwords on password-protected RAR and ZIP files, but in those cases someone wrote a program to extract the p...
How-to - Cracking ZIP and RAR protected files with John the Ripper
After seeing how to compile John the Ripper to use all your computer’s processors now we can use it for some tasks that may be useful to digital forensic inv...
How-to - Compiling John the Ripper to use all your processors for password cracking
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect w...
[How-to] Check if your system is vulnerable to the Heartbleed OpenSSL bug
The Heartbleed OpenSSL bug can leave a lot of systems open to exploitation. To see whether your system is vulnerable try the following.<div></div>...
Installing Cinnamon 2.0 on Linux Mint 14
With only a few weeks (hopefully) until Linux Mint 16 is released, I have been installing different software that I may want to start using. With all my data...
Sending a manually encrypted email using a public key
Some web-based email services don’t have an encryption client available, but if you still want to be able to encrypt an email using someone’s ...
Using XARGS to speed up batch processing
[Edit 24/7/2013] Be careful when using xargs to spawn multiple processes that write to the same file. I’ve been using it with md5sum and pipin...
md5sum vs. md5deep vs. openssl md5: MD5 calculation speed test
The following experiment is conducted to determine if md5sum, md5deep or openssl md5 hash calculations are faster than the others. Methodology:<div>Te...
[How to] Install pHash on Ubuntu
pHash is an open source software library released under the GPLv3 license that implements several perceptual hashing algorithms, and provides a C-like API to...
Notes on Installing Linux Mint on a Dell Inspiron 15z 5523
[Update 29/5/2013] The last several days the Banshee music player tends to crash the audio driver sometimes when skipping tracks. Ctrl+alt+backspace brings s...
Creating and Configuring a Large Redundant Storage Array for a Network Share in Ubuntu using MDADM
We had a hardware RAID card that worked well in Windows, but was giving some issues in Linux (Ubuntu 12.04). So, we decided to try to setup a software array ...
Another SDHASH Test with Picture Files
After the last SDHASH test showed that fuzzy hashing on multiple sizes of the same picture files did not appear to work well. I decided to try...
Comparing Fuzzy Hashes of Different Sizes of the Same Picture (SDHASH)
In a previous single, we looked at setting up and using SDHASH. After comparing modified files and, and getting a high score for similarity, w...
Similarity Comparison with SDHASH (fuzzy hashing)
Being a fan of ssdeep for fuzzy hashing, I was interested in this article comparing ssdeep to sdhash.As the article says, ssdeep basically bre...
Installing Log2Timeline on Ubuntu 12.04
The maintainers of log2timeline have yet to set up a repository for Ubuntu Precise (12.04). Here are the required packages needed to get most of the function...
ZFS and NFS for Forensic Storage Servers
We’ve been looking at different storage solutions to act as storage servers for forensic images, and some extracted data. Essentially we have a server with e...
Forensic Acquisition of a Virtual Machine with Access to the Host
Someone recently asked about an easy way to create a RAW image of virtual machine (VM) disks, so here is a quick how-to.<div class="separator" style="clea...
Installing OCFA 2.3.X with FIVES
In this single we will be installing OCFA 2.3.0 rc4 on Debian Squeeze (6)I will be following the documentation from: http://sourceforge.net/apps/trac/ocfa/wi...
Building FIVES Porndetect Image and Video
Installation of FIVES Porndetect was relatively painless on Debian Squeeze (Lenny is a bit of a pain).First get the F_PORNDETECT.doc from the FIVES portal. T...
Installing a Eucalyptus Cloud with Debian Squeeze
When trying to install Eucalyptus on Debian, the newest version seemed to be packaged for Squeeze. I tried this directly on Lenny, but it did not work. I hav...
Converting Parallels Disks to Raw on OS X
Update: See the forensic focus article: http://articles.forensicfocus.com/2012/07/05/parallels-hard-drive-image-converting-for-analysis/Update: I have had pr...
Video Preview from Command Line with ffmpeg
Earlier I singleed about creating an animated preview gif from a given video. When using that method with a file list, ffmpeg would treat the file name as a ...
Video Screenshot Preview gif Built from Command-Line Linux
Edit: This version will produce errors when using a file list. See this single for a more reliable way.I have been searching for a while for a way to create ...
CarvFS on Mac OSx
A while ago I briefly used CarvFS on a linux system for testing. It was nice. Zero-storage carving can come in handy, especially when you are dealing with li...
SIMILE Timeplot graphing hours minutes seconds
All of the examples for SIMILE Timeplot are in YYYY/MM/DD format. I was wanting to plot data down to the minute/second. Looking around I found that the date ...
SIMILE Widgets: Timeline and Timeplot Mac OSx Install
Looking around I just found the SIMILE project. I have been messing around with TSK’s fls and looking into log2timeline and think SIMILE widgets might be use...
cpan Date::Manip perl module on Darwin (not Darwin ports)
When attempting to install the Date::Manip perl module via cpan on Darwin it will probably give an error like:<blockquote>make: *** [test_dynamic] Erro...
RE: Read-Only Loopback to Physical Disk
A reader sent a very informative email in reply to this single about Read-Only Loopback Devices.http://www.denisfrati.it/pdf/Linux_for_computer_forensic_inve...
How to detect when OCFA is done processing
As emailed to be by Jochen:I think it is possible to detect completion of the process, even if it is not that simple, due to the distributed nature of OCFA. ...
REAPER SVN Access
Instructions for using SVN to get the newest version of the REAPER Project:These instructions are for SVN from a Linux command line, and specifically Debian....
Read-Only Loopback to Physical Disk
I have been testing file carving to try to preview the contents of a drive before imaging. File carving takes a long, long time. A faster solution (I think) ...
PostgreSql Problems on Debian
In Debian 5 when installing PostgreSQL - if /var/singlegresql/8.3/main is not created, and the conf files are not available - use the following command:pg_cr...
Even more Random links: psql
PSQL on Machttp://www.entropy.ch/software/macosx/singlegresql/Enable psql remote access over tcp/iphttp://www.cyberciti.biz/tips/singlegres-allow-remote-acce...
Creating and Modifying a User in PSQL
When installing OcfaArch on Debain 5, the installer failed to create the ‘ocfa’ user in singlegresql (psql). The error I get is “Warning: no local database f...
pt.3 OCFA Installation - DNS, Apache and Permissions
After completing pt.1 and pt.2 BIND, Apache and some permissions still need to be set before everything will work all hunky-dory.Setting up DNSNavigate to /e...
OCFA Installation - Creating the Hash Sets
Maybe I am just a novice, but I had a hard time figuring out the inputs for the creation of the hash database for the OCFA digest module. This step can be fo...
OCFA Installation - Creating a Temporary Share
This single will cover creating a temporary file share on your Samba server to easily share packages. This tutorial is geared towards OCFA on Debian users, b...
pt.2 OCFA Installation - Prep and Building
Now that we have a working Debian install, we can get it ready for OCFA.Again this is s supplement to the ‘HOWTO-INSTALL-debian-etch.txt’ foun...
pt.1 OCFA Installation - Introduction/OS
The installation document for the Open Computer Forensic Architecture was mostly accurate. However, I ran into some issues. Posts labeled OCFAInstall are sup...
Digital Forensics
[How to] Beginner Introduction to The Sleuth Kit (command line)
Today we will give a beginner-level introduction to The Sleuth Kit from command line. If this video is helpful, I highly recommend reading The Law Enforcemen...
[How To] Digital Forensic Memory Analysis - Volatility
This week we will begin with a very basic introduction into the memory analysis framework Volatility. We will use volatility to collect information about a m...
What I’m Reading - Robust bootstrapping memory analysis against anti forensics
Today we are talking about ‘Robust bootstrapping memory analysis against anti-forensics’ by Lee Kyoungho, Hwang Hyunuk, Kim Kibom and Noh BongNam. This paper...
[How To] Digital Forensic Memory Analysis - strings, grep and photorec
This week we will show how to use basic data processing tools strings, grep and photorec to start an analysis of a Random Access Memory (RAM) image, even if ...
How To - Forensic Memory Acquisition in Linux with LiME
This week we will be using LiME to acquire a memory image in a suspect Linux system. LiME is a loadable kernel module that needs to be compiled based on the ...
[How To] Forensic Data Recovery in Linux - tsk_recover
This week we will talk about The Sleuth Kit, and specifically the tool tsk_recover. tsk_recover is a useful tool for allocated and unallocated file recovery....
[How To] Forensic Data Recovery in Windows - Photorec
This week we will show how to use Photorec to recover data form a suspect disk image. Photorec supports the recovery of many different file types, but we wil...
Warning to Forensic Investigators: USB KILLER
This single is informational for digital forensic investigators and first responders. Be aware of the ‘USB Killer’. Very basically, it’s a USB device that co...
[How To] Forensic Acquisition in Windows - FTK Imager
In this video we show how to do a forensic acquisition of a suspect disk using FTK Imager in Windows.<div class="separator" style="clear: both; text-align...
[How To] Forensic Acquisition in Linux - Guymager
This video shows how to acquire a forensic disk image of a suspect device in Linux using Guymager. Guymager is an extremely fast digital forensic imaging too...
[How To] Forensic Acquisition in Linux - DCFLDD
This video shows how to use DCFLDD to acquire a disk image from a suspect device in the Linux command line. DCFLDD is an expanded version of ‘dd’ that suppor...
[How To] Forensic Data Acquisition - Hardware Write Blockers
In this video we will show external write-blockers and describe how they are used to prevent writing data to suspect devices. We will talk about bottlenecks ...
[How To] Copy a disk image to a physical hard drive using DD
In this video we show how to copy a disk image to a physical hard drive using DD in Linux. This is useful for working with live disk images (Linux live CDs),...
[How to] Create and verify a multi-part disk image with FTK Imager
This video shows how to make a disk image using FTK Imager on a Windows system.FTK Imager is an easy to use tool for copying data from suspect disks, and has...
[How-to] Load a multi-part disk image into FTK Imager
When working with multi-part disk images, it can be confusing to see if your tool has loaded all of the image or just a part. Below is one way to determine i...
Postdoctoral Positions Available at Hallym University, South Korea
Hello everyone! We have an opportunity for singledoctoral research positions. Positions with the Legal Informatics and Forensic Science Institute at Hallym U...
Open Source Tools Accepted in Court
Reply to an email I received:<div class="separator" style="clear: both; text-align: center;"></div><div><div><div><div>Is...
Finding private IP addresses in Email Headers
In some cases it may be necessary or helpful to find the private IP of a suspect. This can be difficult, especially since NAT is common in most networks. How...
ICDF2C 2015 in Seoul, South Korea Final Program Now Available
The 7th EAI International Conference on Digital Forensics & Cyber Crime will be held OCTOBER 6–8, 2015 in SEOUL, SOUTH KOREA.The final program is now ava...
Revisiting REAPER: Automating digital forensic investigations
The Rapid Evidence Acquisition Project for Event Reconstruction [1] was one of the first projects that I worked on during my PhD. It started around 2008, whe...
Child Exploitation Forensic Tool: NuDetective
I met some Brazilian Law Enforcement at the 2014 World Forensic Festival. They were talking about Child Online Exploitation in Brazil, and a tool they develo...
[CFP] ICDF2C 2015
Call for papers for the 7th International Conference on Digital Forensics and Cyber Crime (ICDF2C) Conferece Dates: October 6 - 8, 2015 Location: Seoul, Sou...
[How To] Installing LIBEWF in Ubuntu Trusty
Installing LIBEWF is normally straightforward. Usually the most difficult part is remembering which packages are required for the dependencies. When running ...
[Hash sets] Korea University DFRC Reference Data Set
If you work in the area of digital investigation, you probably know about NIST’s National Software Reference Library (NSRL). <blockquote>The National S...
Indicators of Anti-Forensics
Project: Indicators of Anti-Forensics (IoAF)Purpose: Digital forensic triage for anti-forensic activitiesStatus: ActiveLicense: GNU GPLv3Developer(s): KITRI’...
[BoB] Anti Forensics Techniques and eForensics Mag
<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></div>As a mentor with KITRI’s “Best of the Best v2.0” information...
[BoB] Indicators of Anti-Forensics Investigator Survey (Korean)
The following survey results are from Korean Digital Forensic Investigators concerning the use of anti-forensics observed in their investigations. This surve...
Convert EnCase hash sets to md5sum
I managed to get a hold of a list of known-bad hashes to use in an experiment. The hashes, however, were in EnCase “.hash” format.<div></div><...
Signature Based Detection of User Events for Post-Mortem Forensic Analysis
As seen on DigitalFIRE<div><div class="separator" style="clear: both; text-align: center;"></div>The concept of signatures is used in many ...
Forensic Acquisition of a Virtual Machine with Access to the Host
Someone recently asked about an easy way to create a RAW image of virtual machine (VM) disks, so here is a quick how-to.<div class="separator" style="clea...
Discussion
Koreas first step to globalization through ODT
ZDNet Korea reports that the South Korean government is making a first-step to shift from the proprietary Hangul Word Processor (HWP) file format (.hwp) to t...
[How to] GPG and Signing Data
GNU Privacy Guard (GPG) uses public and private keys to secure communications (public-key cryptography). Many people use it to encrypt their email or other d...
No More Ransom - Detecting and unlocking ransomware without paying
Data is valuable. Ransomware takes advantage of the financial or sentimental value of our data, as well as the fact that most homes and organizations do not ...
Warning to Forensic Investigators: USB KILLER
This single is informational for digital forensic investigators and first responders. Be aware of the ‘USB Killer’. Very basically, it’s a USB device that co...
Open Source Tools Accepted in Court
Reply to an email I received:<div class="separator" style="clear: both; text-align: center;"></div><div><div><div><div>Is...
Child Predator Social Experiment - Another Form of Child Abuse?
I recently found a video claiming to be a 'child predator social experiment'. The idea is that children have access to different types of social media, and t...
Ashley Madison Data and Ethical Use
On August 19th, the Impact Team released data of millions of alleged Ashley Madison users. Ashley Madison is a type of social networking website that promote...
FIDO Alliance Password-less Authentication Spec.
[Edited 2015-02-02]Last month, the FIDO Alliance released specifications that attempt to remove passwords from authentication. A few years ago, Google was al...
What is your password?
Jimmy Kimmel, a U.S. talk show host, commented on U.S. cyber security after the 2014 Sony attacks. To humorously demonstrate the problem, they employed a bit...
U.K. Adopts Open Document Formats to Improve Communication
According to UK.gov, the UK Government is adopting open formats for all of its government documents. The formats are PDF/A and HTML from viewing government d...
Dark Nets and Why They Are a Challenge for Police
Based on the BBC News article “Dark net used by tens of thousands of paedophiles” (2014), one might wonder what “Dark Net” is, and why Police are having such...
An Argument for Assumed Extra-territorial Consent During Cybercrime Investigations
As seen on DigitalFIRE.ucd.ieDuring cybercrime investigations it’s common to find that a suspect has used technology in a country outside of the territorial ...
Cybersecurity and Challenges to Democracy
South Korea’s democracy can only be described as… developing. In the late 1970s, after the assassination of Military Dictator Park Chung-hee (who Koreans oft...
What is Cybersecurity?
Last week, a number of Korean organizations fell victim to cyber attacks. This has prompted discussions about cybersecurity in Korea, and while following ...
Social Media and Intelligence Gathering
As seen on DigitalFIREOnline social media has changed the way many people, businesses and even governments interact with each other. Because of Twitter’s pop...
Encrypted backup and the importance of redundancy
As more online storage is made available, it is often convenient to store our personal documents on the web to share between devices or with friends, family...
Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 2
A while back we looked at Challenge 1 in the Four Grand Challenges in Trustworthy Computing from 2003. In my opinion, we have fallen quite short on Challenge...
Future Crimes Ted Talk
[Update] See Bruce Schneier’s responseOur friends at FutureCrimes.com recently had a good Ted talk about technology, crime and a potential way to fight crime...
Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 1
Almost a decade ago, the Computing Research Association published Four Grand Challenges in Trustworthy Computing. Working in a rapidly-evolving digital field...
Predictive Policing and Online Crime
FutureCrimes.com just passed on the single Sci-fi policing: predicting crime before it occurs. Crime modeling used by the LAPD appears to have contributed t...
International Symposium on Cybercrime Response (ISCR) 2012
I’m just back from the 1st INTERPOL NCRP Cybercrime Training Workshop and International Symposium on Cybercrime Response 2012, held in Seoul, South Korea. Th...
Research
What I’m Reading - A functional reference model of passive systems for tracing network traffic
What I’m Reading: Today we are talking about ‘A functional reference model of passive systems for tracing network traffic’ by Thomas E. Daniels. This paper d...
Paid Graduate Positions Available: Digital Investigations in Internet of Things
The Legal Informatics and Forensic Science (LIFS) Institute in the College of International Studies at Hallym University, South Korea, currently has openings...
사물인터넷(IoT) 디지털 수사 관련 전액장학금 지원 석/박사 직위 공모
한림대학교 국제학부의 정보법과학전공에서는 현재 석사, 박사, 그리고 박사후과정생을 대상으로 정규직 연구원을 모집하고 있습니다. 해당 직위는 사물인터넷(IoT) 디지털 포렌식 수사에 관련된 연구를 담당하므로, 다음과 같은 자격을 요합니다. <ul><li>프로그래...
No Starch Press Hacking and Security books deal
Humble Bundle and No Starch Press are offering a charity deal on hacking and security books. For 15$ or more you can get 13 books! Check out the deal here: h...
Finding private IP addresses in Email Headers
In some cases it may be necessary or helpful to find the private IP of a suspect. This can be difficult, especially since NAT is common in most networks. How...
ICDF2C 2015 in Seoul, South Korea Final Program Now Available
The 7th EAI International Conference on Digital Forensics & Cyber Crime will be held OCTOBER 6–8, 2015 in SEOUL, SOUTH KOREA.The final program is now ava...
Ashley Madison Data and Ethical Use
On August 19th, the Impact Team released data of millions of alleged Ashley Madison users. Ashley Madison is a type of social networking website that promote...
Revisiting REAPER: Automating digital forensic investigations
The Rapid Evidence Acquisition Project for Event Reconstruction [1] was one of the first projects that I worked on during my PhD. It started around 2008, whe...
Philipp Amann interviewed about robustness and resilience in digital forensics laboratories
Forensic Focus recently interviewed Philipp Amann, Senior Strategic Analyst, Europol about our DFRWS EU 2015 paper “Designing robustness and resilience in di...
[BoB] Anti Forensics Techniques and eForensics Mag
<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></div>As a mentor with KITRI’s “Best of the Best v2.0” information...
Help us understand Mutual Legal Assistance and win a FIREBrick Write Blocker
Please help DigitalFIRE Labs understand the current state of Mutual Legal Assistance Requests relating to digital evidence, and be entered for a chance to wi...
Comparing Similarity of Images using SIFT Features
I’ve been playing around with VLFeat, and specifically SIFT to compare images using sift feature extraction. A while back I was looking at comparing files an...
South Korean National Cyber Terrorism Prevention Act (English)
An unofficial English translation of the proposed South Korean National Cyber Terrorism Prevention Act.The recently proposed South Korean Nati...
South Korean National Cyber Terrorism Prevention Act (Korean)
The recently proposed South Korean National Cyber Terrorism Prevention Act: [Korean PDF] [English PDF]êµ?? ?¬ì´ë²„í…Œ??ë°©ì???ê´€??법ë...
Signature Based Detection of User Events for Post-Mortem Forensic Analysis
As seen on DigitalFIRE<div><div class="separator" style="clear: both; text-align: center;"></div>The concept of signatures is used in many ...
Automata Intersection to Test Possibility of Statements in Investigations
As seen on DigitalFIRE.When conducting an investigation, many statements are given by witnesses and suspects. A “witness” could be considered as anything th...
Korean National Police University International Cybercrime Research Center
<div class="p1">Today is the inauguration of the Korean National Police University (KNPU) International Cybercrime Research Center (ICRC). The inaugura...
Survey About Crime Investigation Priority
<div class="MsoNormal">This Crime Investigation Priority survey is being conducted by a researcher at University College Dublin. The purpose is to dire...
Digital Forensic Investigation and Cloud Computing
We have a chapter in an upcoming book, Cybercrime and Cloud Forensics: Applications for Investigation ProcessesOur chapter aims to be a high-level introducti...
Digital Crime Categorization using the AFP CCPM
When attempting to gather statistics about digital crime and investigations in different countries, and sometimes on a national level, the inconsistency in c...
Infosec
[How to] GPG and Signing Data
GNU Privacy Guard (GPG) uses public and private keys to secure communications (public-key cryptography). Many people use it to encrypt their email or other d...
[How to] Beginner Introduction to The Sleuth Kit (command line)
Today we will give a beginner-level introduction to The Sleuth Kit from command line. If this video is helpful, I highly recommend reading The Law Enforcemen...
[How to] Installing and updating Linux in Virtualbox
Today we are going to install and update a Debian-based operating system in VirtualBox as a guest operating system.The first video goes through creating a vi...
What I’m Reading - A functional reference model of passive systems for tracing network traffic
What I’m Reading: Today we are talking about ‘A functional reference model of passive systems for tracing network traffic’ by Thomas E. Daniels. This paper d...
No More Ransom - Detecting and unlocking ransomware without paying
Data is valuable. Ransomware takes advantage of the financial or sentimental value of our data, as well as the fact that most homes and organizations do not ...
Paid Graduate Positions Available: Digital Investigations in Internet of Things
The Legal Informatics and Forensic Science (LIFS) Institute in the College of International Studies at Hallym University, South Korea, currently has openings...
사물인터넷(IoT) 디지털 수사 관련 전액장학금 지원 석/박사 직위 공모
한림대학교 국제학부의 정보법과학전공에서는 현재 석사, 박사, 그리고 박사후과정생을 대상으로 정규직 연구원을 모집하고 있습니다. 해당 직위는 사물인터넷(IoT) 디지털 포렌식 수사에 관련된 연구를 담당하므로, 다음과 같은 자격을 요합니다. <ul><li>프로그래...
[CFP] CLOUDFOR extended submission deadline
<pre wrap=”>CLOUDFOR 2016: Workshop on Cloud ForensicsIn conjunction with the 9th IEEE/ACM International Conference on Utility and Cloud Computing (UCC...
Facebook Capture the Flag Platform Now Available
Facebook’s hacking education platform and capture the flag is now available. See their release single here. Their goal is to educate about different types of...
Honeypot Fun
At the Legal Informatics and Forensic Science Institute, we are preparing to do some research on IoT smart homes. Part of that is setting up a slightly-less-...
No Starch Press Hacking and Security books deal
Humble Bundle and No Starch Press are offering a charity deal on hacking and security books. For 15$ or more you can get 13 books! Check out the deal here: h...
[CFP] JDFSL Special issue on Cyberharassment Investigation: Advances and Trends
JDFSL Special issue on Cyberharassment Investigation: Advances and Trends. Anecdotal evidence indicates that cyber harassment is becoming more prevalent as ...
ICDF2C 2015 in Seoul, South Korea Final Program Now Available
The 7th EAI International Conference on Digital Forensics & Cyber Crime will be held OCTOBER 6–8, 2015 in SEOUL, SOUTH KOREA.The final program is now ava...
ICDF2C Revised Draft Program Released
7th International Conference on Digital Forensics and Cyber Crime (ICDF2C) updated program is now available here: http://bit.ly/1LsJpvM<div class="separat...
ICDF2C and SeoulTechSoc Call for Essays on Information Security
ICDF2C and Seoul Tech Society Essay Contest Have you ever surfed the Dark Web? Are you worried about the security of your virtual property? Technology is cha...
Ashley Madison Data and Ethical Use
On August 19th, the Impact Team released data of millions of alleged Ashley Madison users. Ashley Madison is a type of social networking website that promote...
Conferences 2012
Webinar: Pitfalls of Interpreting Forensic Artifacts in the Windows Registry
Forensic Focus Webinar concerning analysis and of the Windows Registry from UCD’s very own Jacky Fox titled: Pitfalls of Interpreting Forensic Artifacts in t...
InfoSecurity Russia 2012
Last week, Pavel and I gave an invited talk at InfoSecurity Russia 2012. From Digital FIRE:<blockquote class="tr_bq">Our talk explored the issues of di...
Korean National Police University International Cybercrime Research Center
<div class="p1">Today is the inauguration of the Korean National Police University (KNPU) International Cybercrime Research Center (ICRC). The inaugura...
CFP: OMICS Group International Conference on Forensic Research and Technology
Open call for abstracts (will receive DOI) for the International Conference on Forensic Research and Technology. Looks like an interesting mix of all forensi...
LawTech Europe Congress 2012
LawTech Europe Congress 201212 November, 2012Prague, Czech Republic“Over the past few years there have been huge advances in Electronic Evidence support and ...
International Workshop on Digital Forensics in the Cloud 2012 (IWDFC 2012)
Unfortunately too late to submit a paper this year, but the conference may be interesting nonetheless!From International Workshop on Digital Forensics in the...
Webinar - Industrial Espionage, Weaponized Malware, and State-Sponsored Cyber Attacks - How to Identify, Counter, and React
Webinar: Industrial Espionage, Weaponized Malware, and State-Sponsored Cyber Attacks: How to Identify, Counter, and ReactDate: 31 July, 2012Time: 15:00 PT (2...
CFP: IRISSCERT Cyber Crime Conference
The IRISSCERT Cyber Crime Conference will be held November 22, 2012 in Dublin, Ireland. More information can be found here.They are currently running a call ...
Webinar - Finding Evidence in an Online World - Trends & Challenges in Digital Forensics
[Edit] A recording of the webinar can be found here: http://www.forensicfocus.com/DF_Multimedia/page=watch/id=79/d=1/Resingle from: http://www.forensicfocus....
ICTTF - Cyber Threat Summit 2012
The ICTTF Cyber Threat Summit will be held in Dublin on September 20-21, 2012. Have a look at this years agenda. You can get a 10% registratio...
International Symposium on Cybercrime Response (ISCR) 2012
I’m just back from the 1st INTERPOL NCRP Cybercrime Training Workshop and International Symposium on Cybercrime Response 2012, held in Seoul, South Korea. Th...
ICDF2C 2012
The 4th International Conference on Digital Forensics and Cyber Crime (ICDF2C), hosted at Purdue University, will be held from October 24-26, 2012.Website: h...
International Symposium on Cybercrime Response 2012
[Update]: This years ISCR is over - see my thoughts.The International Symposium on Cybercrime Response (ISCR) is an annual conference held in Seoul, South Ko...
DFRWS 2009 - Montreal
Our group in the Centre for Cybercrime Investigation gave a presentation at the Digital Forensic Workshop 2009. The submitted paper can be found here. Also a...
CTF
🇺🇳 Africa DFIR CTF 2022 Award Ceremony 🎉
Huge DFIR stream with a lot of Q&A. Check out the chapter times below!
Magnet CTF Week 12 - Registry update analysis
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 11 - DNS Cache Analysis… sort of
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 10 - Network analysis in RAM
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 9 - Digging through memory
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 8 - Persistence in plain sight
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 7 - Hadoop Node Networking
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 6 - Riddle ELFs
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 5 - HDFS around the block
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 4 - GUIDSWAP and drop
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 3 - The case of the spoiled S. Cargo
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 2 - URLs in Pictures in Pictures
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
HFS+ Header trivia
In the wee hours of Friday night, just as I was tucked in and toasty, Magnet Weekly CTF dropped a 10 point trivia question. I jumped to answer it like a kid ...
Facebook Capture the Flag Platform Now Available
Facebook’s hacking education platform and capture the flag is now available. See their release single here. Their goal is to educate about different types of...
Linux
Find and sort files by extension in the Linux command line
Easily find and sort files by extension in the Linux command line. This quick method does not require saving data to a file to output a sorted list of files ...
Slimbook Pro X Review
This post is a review of the Slimbook Pro X. I’ve been using the Slimbook for about a month. There isn’t much info available in English, so I thought I would...
[How To] Volatility Memory Analysis Building Linux Kernel Profiles
Memory foreniscs in Linux is not very easy. The reason is because the Linux kernel changes data structures and debug symbols often. Users can also easily mod...
[How to] Beginner Introduction to The Sleuth Kit (command line)
Today we will give a beginner-level introduction to The Sleuth Kit from command line. If this video is helpful, I highly recommend reading The Law Enforcemen...
[How to] Installing and updating Linux in Virtualbox
Today we are going to install and update a Debian-based operating system in VirtualBox as a guest operating system.The first video goes through creating a vi...
[How To] Copy a disk image to a physical hard drive using DD
In this video we show how to copy a disk image to a physical hard drive using DD in Linux. This is useful for working with live disk images (Linux live CDs),...
Clearing USB disk read cache for testing and forensics in Linux
When copying data from USB devices in Linux (Debian / Ubuntu), you may have noticed that reading data from the disk the first time takes a while, and readin...
John the Ripper shared library error path fix on Linux
If you are using John the Ripper with CUDA, and you start to see errors like:<blockquote class="tr_bq">./unshadow: error while loading shared libraries...
Korea Linux Forum 2014: Linux and Law Enforcement
On November 11, 2014 Joshua James of CybercrimeTech.com gave a presentation at the Korea Linux Forum on Linux and Law Enforcement: Challenges and Opportunit...
World Forensic Festival, Digital Forensic Masters and the Korea Linux Forum
A pretty busy day preparing for the World Forensic Festival next week. If you are going, please be sure to catch me on Thursday and Friday for the Digital F...
How-to - Cracking ZIP and RAR protected files with John the Ripper
After seeing how to compile John the Ripper to use all your computer’s processors now we can use it for some tasks that may be useful to digital forensic inv...
How-to - Compiling John the Ripper to use all your processors for password cracking
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect w...
Ubuntu 14.04 (Trusty Tahr) Long Term Support Released
Ubuntu 14.04 LTS has been released.This version includes a number of “under the hood” updates. Some of the most notable are:<ul><li>Linux Kernel ...
CFP 2015
ICDF2C and SeoulTechSoc Call for Essays on Information Security
ICDF2C and Seoul Tech Society Essay Contest Have you ever surfed the Dark Web? Are you worried about the security of your virtual property? Technology is cha...
[CFP] DFRWS EU 2016
The DFRWS EU 2016 conference will be held in Lausanne, Switzerland from March 30th to April 1st, 2016.<div class="separator" style="clear: both; text-alig...
[CFP] ICDF2C Submission Deadline Extended
Hello everyone! The ICDF2C Call for Papers has been extended to April 13, 2015. Hurry an submit! See you in Seoul!http://d-forensics.org/2015/show/cf-papers
[CFP] ICDF2C Submissions Due 30 March
Just a reminder that submissions for ICDF2C are due on the 30th of March, 2015 (next week).<div class="separator" style="clear: both; text-align: center;"...
[CFP] SADFE-2015
Call for Papers SADFE-2015Tenth International Conference on Systematic Approaches to Digital Forensics Engineering September 30 – October 2, 2015, Malaga, S...
[CFP] WSDF 2015: The 8th International Workshop on Digital Forensics
WSDF 2015: The 8th International Workshop on Digital Forensics http://www.ares-conference.eu/conference/workshops/wsdf-2015/ August 24-28, 2015 Toulouse, F...
2015 국제디지털포렌식 및 사이버범죄 컨퍼런스 · 한국디지털포렌식학회논문 모집 공고
2015 국제디지털포렌식 및 사이버범죄 컨퍼런스 · 한국디지털포렌식학회논문 모집 공고 Please note: all submissions and presentations must be in English. 국제디지털포렌식 및 사이버범죄 컨퍼런스(International Confer...
2015 デジタル・フォレンジックとサイバー犯罪に係る国際会議・韓国デジタル・フォレンジック学会年次大会 論文募集
2015 デジタル・フォレンジックとサイバー犯罪に係る国際会議・韓国デジタル・フォレンジック学会年次大会 論文募集 Please note: all submissions and presentations must be in English. デジタル・フォレンジックとサイバー犯罪に係る国際会議(The I...
ICDF2C, KDFS 2015 论文征文公告
ICDF2C, KDFS 2015 论文征文公告 Please note: all submissions and presentations must be in English. 国际数字取证、网络犯罪会议(ICDF2C)是旨在促进数字取证及网络犯罪侦查的发展,推动全世界的优秀研究人员、实务人员、教...
[CFP] DFRWS US 2015
Just a quick reminder that the DFRWS US 2015 is coming up soon!From DFRWS.org:DFRWS 2015 will be held on August 9-13, 2015 at the Hyatt Regency Philadelphia...
[CFP] ICDF2C 2015
Call for papers for the 7th International Conference on Digital Forensics and Cyber Crime (ICDF2C) Conferece Dates: October 6 - 8, 2015 Location: Seoul, Sou...
[CFP] Digital Forensic Research Workshop EU 2015
Digital Forensic Research Workshop (DFRWS) EU 2015 Call for PapersDublin, Ireland on the 23-26 March 2015<div><ul><li>Important Dates:</...
DFRWS 2015 EU - Call for Forensic Challenge
Digital Forensic Research Workshop 2015 EU is currently calling for Forensic Challenge proposals.See the CFCDeadline: January 31st, 2015The DFRWS Conference ...
Conferences 2015
ICDF2C 2015 in Seoul, South Korea Final Program Now Available
The 7th EAI International Conference on Digital Forensics & Cyber Crime will be held OCTOBER 6–8, 2015 in SEOUL, SOUTH KOREA.The final program is now ava...
[CFP] ICDF2C Submission Deadline Extended
Hello everyone! The ICDF2C Call for Papers has been extended to April 13, 2015. Hurry an submit! See you in Seoul!http://d-forensics.org/2015/show/cf-papers
[CFP] ICDF2C Submissions Due 30 March
Just a reminder that submissions for ICDF2C are due on the 30th of March, 2015 (next week).<div class="separator" style="clear: both; text-align: center;"...
[CFP] SADFE-2015
Call for Papers SADFE-2015Tenth International Conference on Systematic Approaches to Digital Forensics Engineering September 30 – October 2, 2015, Malaga, S...
[CFP] WSDF 2015: The 8th International Workshop on Digital Forensics
WSDF 2015: The 8th International Workshop on Digital Forensics http://www.ares-conference.eu/conference/workshops/wsdf-2015/ August 24-28, 2015 Toulouse, F...
2015 국제디지털포렌식 및 사이버범죄 컨퍼런스 · 한국디지털포렌식학회논문 모집 공고
2015 국제디지털포렌식 및 사이버범죄 컨퍼런스 · 한국디지털포렌식학회논문 모집 공고 Please note: all submissions and presentations must be in English. 국제디지털포렌식 및 사이버범죄 컨퍼런스(International Confer...
2015 デジタル・フォレンジックとサイバー犯罪に係る国際会議・韓国デジタル・フォレンジック学会年次大会 論文募集
2015 デジタル・フォレンジックとサイバー犯罪に係る国際会議・韓国デジタル・フォレンジック学会年次大会 論文募集 Please note: all submissions and presentations must be in English. デジタル・フォレンジックとサイバー犯罪に係る国際会議(The I...
ICDF2C, KDFS 2015 论文征文公告
ICDF2C, KDFS 2015 论文征文公告 Please note: all submissions and presentations must be in English. 国际数字取证、网络犯罪会议(ICDF2C)是旨在促进数字取证及网络犯罪侦查的发展,推动全世界的优秀研究人员、实务人员、教...
[CFP] DFRWS US 2015
Just a quick reminder that the DFRWS US 2015 is coming up soon!From DFRWS.org:DFRWS 2015 will be held on August 9-13, 2015 at the Hyatt Regency Philadelphia...
[CFP] ICDF2C 2015
Call for papers for the 7th International Conference on Digital Forensics and Cyber Crime (ICDF2C) Conferece Dates: October 6 - 8, 2015 Location: Seoul, Sou...
[CFP] DFRWS EU 2015 - Submission Deadline Approaching
Just a reminder that the submission deadline for DFRWS EU 2015 (hosted in Dublin, Ireland) is September 22nd, 2014!<div class="separator" style="clear: bo...
[CFP] Digital Forensic Research Workshop EU 2015
Digital Forensic Research Workshop (DFRWS) EU 2015 Call for PapersDublin, Ireland on the 23-26 March 2015<div><ul><li>Important Dates:</...
DFRWS 2015 EU - Call for Forensic Challenge
Digital Forensic Research Workshop 2015 EU is currently calling for Forensic Challenge proposals.See the CFCDeadline: January 31st, 2015The DFRWS Conference ...
Education
Getting started in Digital Forensics
A lot of people have asked how to get started with digital forensics. It’s great that so many people from so many different places are interested. There are ...
Facebook Capture the Flag Platform Now Available
Facebook’s hacking education platform and capture the flag is now available. See their release single here. Their goal is to educate about different types of...
Cybersecurity Tips for Business Travelers
I recently received an email from someone claiming to be from CNN, wanting to do a segment on cyber security for business travelers. They asked for some bul...
Online Child Exploitation Awareness Project
With the KITRI Best of the Best Information security program, we have been developing tools for Law Enforcement to use in the automatic detection of Child E...
World Forensic Festival, Digital Forensic Masters and the Korea Linux Forum
A pretty busy day preparing for the World Forensic Festival next week. If you are going, please be sure to catch me on Thursday and Friday for the Digital F...
Free Linux course from edX is a good introduction for investigators
Linux is being used in many more consumer devices. Investigators should at least have a basic idea of what Linux is, how it is different than Windows and bas...
Journal of Digital Forensics, Security and Law now Open Access
The Journal of Digital Forensics, Security and Law (JDFSL) is now an Open Access Journal. They also have a new website that uses the Open Journal System for ...
Sending a manually encrypted email using a public key
Some web-based email services don’t have an encryption client available, but if you still want to be able to encrypt an email using someone’s ...
What is Cybersecurity?
Last week, a number of Korean organizations fell victim to cyber attacks. This has prompted discussions about cybersecurity in Korea, and while following ...
Webinar - Finding Evidence in an Online World - Trends & Challenges in Digital Forensics
[Edit] A recording of the webinar can be found here: http://www.forensicfocus.com/DF_Multimedia/page=watch/id=79/d=1/Resingle from: http://www.forensicfocus....
Developing an Open Source Digital Forensics Laboratory
<div class="p1">The UCD CCI Forensic Summer School will be held here in Dublin from 20th-30th August, 2012. This year’s topic is the development of Ope...
Digital Forensics Summer School
The UCD Centre for Cybersecurity and Cybercrime Investigation will be hosting a Digital Forensic Summer School for two weeks at the end of August 2012. ...
Conferences 2013
Live Stream - 5th International Conference on Digital Forensics & Cyber Crime ICDF2C 2013
The 5th International Conference on Digital Forensics and Cyber Crime (ICDF2C) will be held this week in Moscow (September 26-27, 2013). The program can be f...
4th Annual The Sleuth Kit and Open Source Digital Forensics Conference
When: 4 Nov. 2013 Where: Chantilly, Virginia, U.S.A.<blockquote>The 4th Annual Open Source Digital Forensics Conference will be held on November 5, 201...
The 7th International Symposium on Digital Forensics and Information Security (DFIS-13)
When: September 4-6, 2013Where: Gwangju, South KoreaMore information can be found here<blockquote class="tr_bq">Digital Forensics and Information Secur...
Global Essay Competition for Seoul Conference on Cyberspace 2013
From the Korean Ministry of Foreign Affairs:1,500 to 2,000 word essayDeadline: 12 July, 2013Notification: 'end of July' More information can be found here. ...
International Symposium on Cybercrime Response (ISCR) 2013
International Symposium on Cybercrime Response (ISCR) 2013When: 25 - 27th June, 2013Location: Seoul, South KoreaWebsite: http://iscr.netan.go.kr/iscr2013/The...
[CFP] ICDF2C 2013 Note of Change of Date
Please note, the dates for the ICDF2C 2013 have slightly changed.Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 201325-27 Septe...
CFP - Eighth International Conference on Internet Monitoring and Protection ICIMP 2013
CFP: ICIMP 2013, The Eighth International Conference on Internet Monitoring and Protection June 23 - 28, 2013 - Rome, Italy Submission deadline: February 7, ...
[Webinar] DFIROnline: Memory Forensics with Volatility
For those of you interested in memory forensics with Volatility:<div class="p1">Thursday, 17 January, 2013 - 20:00 EST (GMT - 5)</div><div cla...
Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 2013
Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 201325-27 September 2013Moscow, Russiahttp://www.d-forensics.org/2013Submission ...
Digital Forensic Research Workshop (DFRWS) 2013
CFP DFRWS 2013Important dates:<ul><li>Submission deadline: February 20, 2013 (any time zone). This is a firm deadline. </li><li>Autho...
Conference: SANS DFIR Summit 2013
SANS DFIR Summit 2013 - Call For Speakers - Now Open<div class="summary" style="border: 0px; font-family: Arial, Helvetica, 'Nimbus Sans L', sans-serif; f...
CFP - Heterogeneous Networking for Quality, Reliability, Security and Robustness - Qshine 2013
9th International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness - Qshine 201311th-12th January 2013 Gautam Buddha ...
REAPERPreview
REAPER Preview
Project: Rapid Evidence Acquisition Project for Event Reconstruction (REAPER) Preview<div class="p1">Purpose: A forensic boot CD that quickly and autom...
Forensic Image and Video Extraction Support (FIVES) Project
While working with the Open Computer Forensics Architecture (OCFA), I came across the Forensic Image and Video Extraction Support (FIVES) project. At the tim...
Debian Live X Only
Looking for a lighter way to run REAPER Preview, we are looking into an X only kiosk-type implementation, al la:http://jadoba.net/kiosks/firefox/Also looking...
Profile Based Digital Forensic Preview
The newest build of REAPER Preview (officially Alpha 2) includes quite a few changes, but one that I am especially excited about is Profile Based Preivew. Fi...
REAPER Preview Alpha 2 changelog
Gearing up for the official Alpha 2 release of REAPER Preview here is the change log and feature list:Back-end:<ul><li>REAPER Preview no longer l...
REAPER Preview POC Mentioned
The REAPER Preview Proof of Concept was mentioned on nukeitdotorg!Also an updated version of REAPERlive that can be imaged directly to any USB hard drive (wi...
REAPER SVN Access
Instructions for using SVN to get the newest version of the REAPER Project:These instructions are for SVN from a Linux command line, and specifically Debian....
REAPER Preview Setup and Configuration
(Command line instructions)6 Nov. 2010REAPERlive Preview:Extracting a working directoryOnce you have downloaded the REAPERlivePreview build pa...
REAPERlive Preview POC Released
REAPERlive Preview has been released as a proof of concept. The ISO is available for download at sorceforge. Currently only images are displayed, but lists o...
REAPER Preview
Throughout the time I have been developing REAPER, many people in more developed countries have expressed a need for a type of forensic preview ability. Mayb...
REAPER Logo
Logo design by Laura Small and Joshua James.Digital artwork by Laura Small.The REAPER logo by Joshua James is licensed under a Creative Commons Attribution-...
Magnet
Magnet CTF Week 12 - Registry update analysis
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 11 - DNS Cache Analysis… sort of
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 10 - Network analysis in RAM
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 9 - Digging through memory
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 8 - Persistence in plain sight
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 7 - Hadoop Node Networking
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 6 - Riddle ELFs
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 5 - HDFS around the block
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 4 - GUIDSWAP and drop
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 3 - The case of the spoiled S. Cargo
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Magnet CTF Week 2 - URLs in Pictures in Pictures
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Conferences 2014
Korea Linux Forum 2014: Linux and Law Enforcement
On November 11, 2014 Joshua James of CybercrimeTech.com gave a presentation at the Korea Linux Forum on Linux and Law Enforcement: Challenges and Opportunit...
World Forensic Festival, Digital Forensic Masters and the Korea Linux Forum
A pretty busy day preparing for the World Forensic Festival next week. If you are going, please be sure to catch me on Thursday and Friday for the Digital F...
5th Annual Open Source Digital Forensics Conference
The 5th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on November 5, 2014 at the Westin Washington Dulles in Herndon, VA. This conf...
ICDF2C 2014 early registration ends August 29th
The 6th International Conference on Digital Forensics & Cyber Crime is now open for registration!<div class="separator" style="clear: both; text-align...
[CFP] ICDF2C 2014 Submissions Due
Just a quick reminder that submissions for the 6th International Conference on Digital Forensics & Cyber Crime are due THIS FRIDAY (May 16, 2014). See su...
[CFP] World Forensic Festival 2014
World Forensic Festival, Oct. 12 - 18, 2014 in Seoul, South Korea.Abstract submission due: May 31, 2014Program site: http://wff2014korea.org/<img alt=”Wor...
[CFP] ICDF2C 2014
Don’t forget about the 6th International Conference on Digital Forensics & Cyber Crime, September 18–20, 2014 in New Haven, Connecticut, United States.Th...
[CFP] 6th International Conference on Digital Forensics & Cyber Crime
September 18-20, 2014 - New Haven, CT, USA | Call for papersIMPORTANT DATESPaper Submission: 16 May, 2014Notification of Acceptance: 30 July, 2014Camera-read...
[CFP] DFRWS EU 2014
From http://dfrws.org/2014eu/cfp.shtmlThe DFRWS-EU Conference that will be held in Amsterdam on the 7-9 May 2014.Important DatesSubmission deadline: December...
[Survey] Digital Forensic Research Workshop Europe
<h3 class="groups title" style="border: 0px; color: #333333; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">...
REAPER
Revisiting REAPER: Automating digital forensic investigations
The Rapid Evidence Acquisition Project for Event Reconstruction [1] was one of the first projects that I worked on during my PhD. It started around 2008, whe...
REAPER Preview
Project: Rapid Evidence Acquisition Project for Event Reconstruction (REAPER) Preview<div class="p1">Purpose: A forensic boot CD that quickly and autom...
Rapid Evidence Acquisition Project for Event Reconstruction
Project: Rapid Evidence Acquisition Project for Event Reconstruction (REAPER)Purpose: To fully automate the acquisition, processing and analysis phases of a ...
REAPER - Installable via self-extracting exe file
We have been looking into easier, more automatic ways for people to install and use REAPER products. Up to now we have mostly been focused on Linux-based dis...
REAPERlive Change Log - 7 Jan 2010
Change Log - 7 Jan 2010REAPERliveMajor Revision-Remove need for 2 drives.-Temp remove OCFA processing. -Add Ability to partition REAPERlive storage drive aut...
REAPERlive Major Revision in Progress
REAPERlive is being revamped. An effort to clean up and standardize a lot of the code is going on. This first part of the project will allow REAPERlive to:1)...
REAPER SVN Access
Instructions for using SVN to get the newest version of the REAPER Project:These instructions are for SVN from a Linux command line, and specifically Debian....
REAPER Preview
Throughout the time I have been developing REAPER, many people in more developed countries have expressed a need for a type of forensic preview ability. Mayb...
REAPER Logo
Logo design by Laura Small and Joshua James.Digital artwork by Laura Small.The REAPER logo by Joshua James is licensed under a Creative Commons Attribution-...
Encryption
[How to] GPG and Signing Data
GNU Privacy Guard (GPG) uses public and private keys to secure communications (public-key cryptography). Many people use it to encrypt their email or other d...
[How-To] Using GnuPG to verify data using detached signatures
Many software downloads come with a signature file. You normally need to download this signature file separately. Signatures are a great way to let people ...
Seoul Tech Society Crypto Event
On June 24th, Seoul Tech Society held an ‘introduction to cryptography’ event. First, Artem Lenskiy gave an overview of how symmetric and asymmetric encrypti...
GPG Key Signing Party in Seoul 2015/06/24
Seoul Tech Society is having an introduction to Public Key Infrastructure (PKI) Wednesday, June 24th at D.CAMP in Seoul. We will give an introduction to PKI...
Attacking Zip File Passwords from the Command Line
There was recently a question on SuperUser linking back to CybercrimeTech’s article about cracking passwords, with an issue about zip files using ZipCrypto, ...
[How to] Brute forcing password cracking devices (LUKS)
We have written in the past about how to crack passwords on password-protected RAR and ZIP files, but in those cases someone wrote a program to extract the p...
Sending a manually encrypted email using a public key
Some web-based email services don’t have an encryption client available, but if you still want to be able to encrypt an email using someone’s ...
Encrypted backup and the importance of redundancy
As more online storage is made available, it is often convenient to store our personal documents on the web to share between devices or with friends, family...
Memory Forensics
[How To] Digital Forensic Memory Analysis - Volatility
This week we will begin with a very basic introduction into the memory analysis framework Volatility. We will use volatility to collect information about a m...
What I’m Reading - Robust bootstrapping memory analysis against anti forensics
Today we are talking about ‘Robust bootstrapping memory analysis against anti-forensics’ by Lee Kyoungho, Hwang Hyunuk, Kim Kibom and Noh BongNam. This paper...
[How To] Digital Forensic Memory Analysis - strings, grep and photorec
This week we will show how to use basic data processing tools strings, grep and photorec to start an analysis of a Random Access Memory (RAM) image, even if ...
How To - Forensic Memory Acquisition in Linux with LiME
This week we will be using LiME to acquire a memory image in a suspect Linux system. LiME is a loadable kernel module that needs to be compiled based on the ...
[CFP] Digital Investigation: Special Issue on Volatile Memory Analysis
Digital Investigation: Special Issue on Volatile Memory Analysis Deadline for submissions is 31 August 2016. Memory analysis is a hot research topic with wid...
Goldfish
Project: Goldfish<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue...
FireWire DMA Attacks for Memory Acquisition
Firewire exploits that can be used to dump, or even alter a target machine’s RAM.http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part...
CFP 2016
[CFP] Digital Investigation: Special Issue on Volatile Memory Analysis
Digital Investigation: Special Issue on Volatile Memory Analysis Deadline for submissions is 31 August 2016. Memory analysis is a hot research topic with wid...
[CFP] CLOUDFOR extended submission deadline
<pre wrap=”>CLOUDFOR 2016: Workshop on Cloud ForensicsIn conjunction with the 9th IEEE/ACM International Conference on Utility and Cloud Computing (UCC...
[CFP] Security of Individual, State and Society: Challenges and Perspectives
Perm State UniversityFaculty of LawThe University of LouisvilleDepartments of Criminal Justice Computer Engineering and Computer Science and The Brandeis Sch...
[CFP] ICDF2C Submission date extended!
ICDF2C 2016 in New York has extended its call for papers until April 25th! Call for papers for the 8th International Conference on Digital Forensics and Cyb...
[CFP] Journal of Digital Forensics Security and Law
The Journal of Digital Forensics, Security and Law published its first issue in the 1st quarter of 2006 and is now calling for papers in, or related to, t...
[CFP] JDFSL Special issue on Cyberharassment Investigation: Advances and Trends
JDFSL Special issue on Cyberharassment Investigation: Advances and Trends. Anecdotal evidence indicates that cyber harassment is becoming more prevalent as ...
[CFP] Call for Papers ICDF2C 2016
8th International Conference on Digital Forensics and Cyber Crime<div class="separator" style="clear: both; text-align: center;"></div>Location: ...
Projects
Indicators of Anti-Forensics
Project: Indicators of Anti-Forensics (IoAF)Purpose: Digital forensic triage for anti-forensic activitiesStatus: ActiveLicense: GNU GPLv3Developer(s): KITRI’...
Project ATOM
Project: ATOM<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', H...
Automated Network Triage (ANT) / Profiler
Project: Automated Network Triage (ANT) / Profiler<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', Hel...
Goldfish
Project: Goldfish<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue...
REAPER Preview
Project: Rapid Evidence Acquisition Project for Event Reconstruction (REAPER) Preview<div class="p1">Purpose: A forensic boot CD that quickly and autom...
Rapid Evidence Acquisition Project for Event Reconstruction
Project: Rapid Evidence Acquisition Project for Event Reconstruction (REAPER)Purpose: To fully automate the acquisition, processing and analysis phases of a ...
CFP 2013
[CFP] DFRWS EU 2014
From http://dfrws.org/2014eu/cfp.shtmlThe DFRWS-EU Conference that will be held in Amsterdam on the 7-9 May 2014.Important DatesSubmission deadline: December...
Global Essay Competition for Seoul Conference on Cyberspace 2013
From the Korean Ministry of Foreign Affairs:1,500 to 2,000 word essayDeadline: 12 July, 2013Notification: 'end of July' More information can be found here. ...
[CFP] ICDF2C 2013 Note of Change of Date
Please note, the dates for the ICDF2C 2013 have slightly changed.Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 201325-27 Septe...
CFP - Eighth International Conference on Internet Monitoring and Protection ICIMP 2013
CFP: ICIMP 2013, The Eighth International Conference on Internet Monitoring and Protection June 23 - 28, 2013 - Rome, Italy Submission deadline: February 7, ...
Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 2013
Fifth International Conference on Digital Forensics and Cyber Crime - ICDF2C 201325-27 September 2013Moscow, Russiahttp://www.d-forensics.org/2013Submission ...
Digital Forensic Research Workshop (DFRWS) 2013
CFP DFRWS 2013Important dates:<ul><li>Submission deadline: February 20, 2013 (any time zone). This is a firm deadline. </li><li>Autho...
programming
Learn Python Programming
Programming is a useful skill for digital investigators. Not only does programming let you automate your investigation process, but it also helps build a bet...
tools
Automatically extract faces from video - Tsurugi Linux - video2faces
We show how to extract faces from video with the video2faces utility in Tsurugi Linux. The tool is relatively easy to use, but you should consider what type ...
Using video2ocr / Tesseract-OCR to extract text from video
This video demonstrates how to use the Tsurugi Linux video2ocr script to extract text from video. video2ocr uses ffmpeg to create screenshots of a target vid...
Physical Image and Partition Mounting in Tsurugi Linux
This is a basic DFIR skill, but extremely useful. Demonstrated on Tsurugi Linux.
Multi-Threading Forensic Applications
Always check for multi-threaded forensic applications because it will save you hours in investigation time. We look at MD5SUM and MD5DEEP and how long each w...
Amazon AWS EC2 Forensic Memory Acquisition - LiME
EC2 Forensics can use many of the same tools and techniques as computer forensics. Usually, just with the addition of networking concepts. In this video, we ...
Getting Started with Bento Digital Forensics Toolkit
The Bento Digital Forensics toolkit is an easy way to manage forensic tools locally or create a live response toolkit to take on-scene. Bento 2021.9 brings m...
CFP 2012
CFP: OMICS Group International Conference on Forensic Research and Technology
Open call for abstracts (will receive DOI) for the International Conference on Forensic Research and Technology. Looks like an interesting mix of all forensi...
CFP - Heterogeneous Networking for Quality, Reliability, Security and Robustness - Qshine 2013
9th International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness - Qshine 201311th-12th January 2013 Gautam Buddha ...
CFP: Africomm 2012
<div class="p1">Call for Papers</div><div class="p1">——————–</div><div class="p1">Fourth International IEEE EAI Conference on e...
CFP: IRISSCERT Cyber Crime Conference
The IRISSCERT Cyber Crime Conference will be held November 22, 2012 in Dublin, Ireland. More information can be found here.They are currently running a call ...
ICDF2C 2012
The 4th International Conference on Digital Forensics and Cyber Crime (ICDF2C), hosted at Purdue University, will be held from October 24-26, 2012.Website: h...
Hashing
[How-To] Using GnuPG to verify data using detached signatures
Many software downloads come with a signature file. You normally need to download this signature file separately. Signatures are a great way to let people ...
Clearing USB disk read cache for testing and forensics in Linux
When copying data from USB devices in Linux (Debian / Ubuntu), you may have noticed that reading data from the disk the first time takes a while, and readin...
Convert EnCase hash sets to md5sum
I managed to get a hold of a list of known-bad hashes to use in an experiment. The hashes, however, were in EnCase “.hash” format.<div></div><...
Using XARGS to speed up batch processing
[Edit 24/7/2013] Be careful when using xargs to spawn multiple processes that write to the same file. I’ve been using it with md5sum and pipin...
md5sum vs. md5deep vs. openssl md5: MD5 calculation speed test
The following experiment is conducted to determine if md5sum, md5deep or openssl md5 hash calculations are faster than the others. Methodology:<div>Te...
anti-forensics
What I’m Reading - Robust bootstrapping memory analysis against anti forensics
Today we are talking about ‘Robust bootstrapping memory analysis against anti-forensics’ by Lee Kyoungho, Hwang Hyunuk, Kim Kibom and Noh BongNam. This paper...
[How to] Brute forcing password cracking devices (LUKS)
We have written in the past about how to crack passwords on password-protected RAR and ZIP files, but in those cases someone wrote a program to extract the p...
Indicators of Anti-Forensics
Project: Indicators of Anti-Forensics (IoAF)Purpose: Digital forensic triage for anti-forensic activitiesStatus: ActiveLicense: GNU GPLv3Developer(s): KITRI’...
[BoB] Anti Forensics Techniques and eForensics Mag
<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></div>As a mentor with KITRI’s “Best of the Best v2.0” information...
[BoB] Indicators of Anti-Forensics Investigator Survey (Korean)
The following survey results are from Korean Digital Forensic Investigators concerning the use of anti-forensics observed in their investigations. This surve...
CFP 2014
[CFP] ICDF2C 2014 Submissions Due
Just a quick reminder that submissions for the 6th International Conference on Digital Forensics & Cyber Crime are due THIS FRIDAY (May 16, 2014). See su...
[CFP] World Forensic Festival 2014
World Forensic Festival, Oct. 12 - 18, 2014 in Seoul, South Korea.Abstract submission due: May 31, 2014Program site: http://wff2014korea.org/<img alt=”Wor...
[CFP] DFRWS 2014 Forensic Challenge: Mobile Malware Analysis
See the challenge page for more information: Submission deadline: May 30, 2014 Mobile Malware Analysis The overall goal of this challenge is to raise the sta...
[CFP] ICDF2C 2014
Don’t forget about the 6th International Conference on Digital Forensics & Cyber Crime, September 18–20, 2014 in New Haven, Connecticut, United States.Th...
[CFP] 6th International Conference on Digital Forensics & Cyber Crime
September 18-20, 2014 - New Haven, CT, USA | Call for papersIMPORTANT DATESPaper Submission: 16 May, 2014Notification of Acceptance: 30 July, 2014Camera-read...
DFRWS
DFRWS EU Early Registration open till end of February
The DFRWS EU 2016 conference will be hosted by the University of Lausanne, Switzerland, at the end of March 2016. Ever since the first open workshop in 2001...
Philipp Amann interviewed about robustness and resilience in digital forensics laboratories
Forensic Focus recently interviewed Philipp Amann, Senior Strategic Analyst, Europol about our DFRWS EU 2015 paper “Designing robustness and resilience in di...
[CFP] DFRWS EU 2016
The DFRWS EU 2016 conference will be held in Lausanne, Switzerland from March 30th to April 1st, 2016.<div class="separator" style="clear: both; text-alig...
[CFP] Digital Forensic Research Workshop EU 2015
Digital Forensic Research Workshop (DFRWS) EU 2015 Call for PapersDublin, Ireland on the 23-26 March 2015<div><ul><li>Important Dates:</...
Password Cracking
[How-To] Installing thc Hydra in Ubuntu
The steps below are how to easily install thc Hydra in Ubuntu with the majority of required libraries for common tasks. Hydra is a pretty well-known remote a...
Attacking Zip File Passwords from the Command Line
There was recently a question on SuperUser linking back to CybercrimeTech’s article about cracking passwords, with an issue about zip files using ZipCrypto, ...
PRNewsWire Quotes CybercrimeTech
PRNewsWire, when writing about Passware’s new LUKS GPU-assisted brute force cracker, referenced our work on LUKS password cracking with John the Ripper.<d...
How-to - Cracking ZIP and RAR protected files with John the Ripper
After seeing how to compile John the Ripper to use all your computer’s processors now we can use it for some tasks that may be useful to digital forensic inv...
How-to - Compiling John the Ripper to use all your processors for password cracking
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect w...
Forensic Acquisition
How To - Forensic Memory Acquisition in Linux with LiME
This week we will be using LiME to acquire a memory image in a suspect Linux system. LiME is a loadable kernel module that needs to be compiled based on the ...
[How To] Forensic Acquisition in Windows - FTK Imager
In this video we show how to do a forensic acquisition of a suspect disk using FTK Imager in Windows.<div class="separator" style="clear: both; text-align...
[How To] Forensic Acquisition in Linux - Guymager
This video shows how to acquire a forensic disk image of a suspect device in Linux using Guymager. Guymager is an extremely fast digital forensic imaging too...
[How To] Forensic Acquisition in Linux - DCFLDD
This video shows how to use DCFLDD to acquire a disk image from a suspect device in the Linux command line. DCFLDD is an expanded version of ‘dd’ that suppor...
[How To] Forensic Data Acquisition - Hardware Write Blockers
In this video we will show external write-blockers and describe how they are used to prevent writing data to suspect devices. We will talk about bottlenecks ...
tutorial
Threats
No More Ransom - Detecting and unlocking ransomware without paying
Data is valuable. Ransomware takes advantage of the financial or sentimental value of our data, as well as the fact that most homes and organizations do not ...
[How-To] Installing thc Hydra in Ubuntu
The steps below are how to easily install thc Hydra in Ubuntu with the majority of required libraries for common tasks. Hydra is a pretty well-known remote a...
Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 2
A while back we looked at Challenge 1 in the Four Grand Challenges in Trustworthy Computing from 2003. In my opinion, we have fallen quite short on Challenge...
Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 1
Almost a decade ago, the Computing Research Association published Four Grand Challenges in Trustworthy Computing. Working in a rapidly-evolving digital field...
Survey
Help us understand Mutual Legal Assistance and win a FIREBrick Write Blocker
Please help DigitalFIRE Labs understand the current state of Mutual Legal Assistance Requests relating to digital evidence, and be entered for a chance to wi...
[BoB] Indicators of Anti-Forensics Investigator Survey (Korean)
The following survey results are from Korean Digital Forensic Investigators concerning the use of anti-forensics observed in their investigations. This surve...
[Survey] Investigation Prioritization of Crimes Involving Digital Evidence
The following survey is being conducted by Joshua James of the Digital Forensic Investigation Research Laboratory (DigitalFIRE) to assess public opinion on t...
Survey About Crime Investigation Priority
<div class="MsoNormal">This Crime Investigation Priority survey is being conducted by a researcher at University College Dublin. The purpose is to dire...
Law
An Argument for Assumed Extra-territorial Consent During Cybercrime Investigations
As seen on DigitalFIRE.ucd.ieDuring cybercrime investigations it’s common to find that a suspect has used technology in a country outside of the territorial ...
Cybersecurity and Challenges to Democracy
South Korea’s democracy can only be described as… developing. In the late 1970s, after the assassination of Military Dictator Park Chung-hee (who Koreans oft...
South Korean National Cyber Terrorism Prevention Act (English)
An unofficial English translation of the proposed South Korean National Cyber Terrorism Prevention Act.The recently proposed South Korean Nati...
South Korean National Cyber Terrorism Prevention Act (Korean)
The recently proposed South Korean National Cyber Terrorism Prevention Act: [Korean PDF] [English PDF]êµ?? ?¬ì´ë²„í…Œ??ë°©ì???ê´€??법ë...
ICDF2C
[CFP] Call for Papers ICDF2C 2016
8th International Conference on Digital Forensics and Cyber Crime<div class="separator" style="clear: both; text-align: center;"></div>Location: ...
ICDF2C Revised Draft Program Released
7th International Conference on Digital Forensics and Cyber Crime (ICDF2C) updated program is now available here: http://bit.ly/1LsJpvM<div class="separat...
A Proposal for Cyber Peacekeeping (CPK)
After a year of collaborative effort we submitted a paper about Cyber Peacekeeping (CPK) to ICDF2C 2015 (http://d-forensics.org/) and have just learned about...
[CFP] 6th International Conference on Digital Forensics & Cyber Crime
September 18-20, 2014 - New Haven, CT, USA | Call for papersIMPORTANT DATESPaper Submission: 16 May, 2014Notification of Acceptance: 30 July, 2014Camera-read...
CFP
ICDF2C 2020 @Boston Call for Papers
ICDF2C brings together researchers and practitioners in order to scientifically address the numerous challenges due to the rapid increase in the amount and v...
ICDF2C 2018 Extended Call for Papers
Extended to May 14th, 2018 See more information at http://d-forensics.org/
[CFP] WSDF 2017 - extended deadline
Submission Deadline Extended to May 1st, 2017
ICDF2C and SeoulTechSoc Call for Essays on Information Security
ICDF2C and Seoul Tech Society Essay Contest Have you ever surfed the Dark Web? Are you worried about the security of your virtual property? Technology is cha...
android
How to add artifacts to ALEAPP
The Android Logs Events And Protobuf Parser (ALEAPP) is a fast triage tool for Android forensic processing. ALEAPP is relatively modular in design, and it is...
Android logical acquisition with android_triage
In this video, we look at the android_triage utility that helps with fast android logical acquisitions. It uses the Android Debug Bridge (adb) to connect to ...
Magnet CTF Week 1 - Timestamps of doom
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Imaging Android with ADB, Root, Netcat and DD
Today we are going to acquire an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd. The system I am using is Ubuntu linux....
linux
Mounting Linux Logical Volumes in Forensic Disk Images
Linux supports Logical Volume Management, which assists in managing partition features such as resizing and encryption. However, many forensic tools cannot d...
iPhone forensics with Linux command line and bplister
iPhone (iOS) forensics is somewhat complicated by difficult data structures in the device. However, it is possible to do a quick iPhone investigation with ba...
Tsurugi Linux for Digital Forensics - Download and verify
Tsurugi Linux is a DFIR Linux distribution by Backtrack and Deft Linux veterans. I loved DEFT, and was excited to see what the Tsurugi team had planned. This...
Imaging Android with ADB, Root, Netcat and DD
Today we are going to acquire an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd. The system I am using is Ubuntu linux....
golang
course
Digital Crime
Dark Nets and Why They Are a Challenge for Police
Based on the BBC News article “Dark net used by tens of thousands of paedophiles” (2014), one might wonder what “Dark Net” is, and why Police are having such...
Digital Forensic Investigation and Cloud Computing
We have a chapter in an upcoming book, Cybercrime and Cloud Forensics: Applications for Investigation ProcessesOur chapter aims to be a high-level introducti...
Digital Crime Categorization using the AFP CCPM
When attempting to gather statistics about digital crime and investigations in different countries, and sometimes on a national level, the inconsistency in c...
Crime
[Survey] Investigation Prioritization of Crimes Involving Digital Evidence
The following survey is being conducted by Joshua James of the Digital Forensic Investigation Research Laboratory (DigitalFIRE) to assess public opinion on t...
Predictive Policing and Online Crime
FutureCrimes.com just passed on the single Sci-fi policing: predicting crime before it occurs. Crime modeling used by the LAPD appears to have contributed t...
Digital Crime Categorization using the AFP CCPM
When attempting to gather statistics about digital crime and investigations in different countries, and sometimes on a national level, the inconsistency in c...
Fuzzy Hashing
Another SDHASH Test with Picture Files
After the last SDHASH test showed that fuzzy hashing on multiple sizes of the same picture files did not appear to work well. I decided to try...
Comparing Fuzzy Hashes of Different Sizes of the Same Picture (SDHASH)
In a previous single, we looked at setting up and using SDHASH. After comparing modified files and, and getting a high score for similarity, w...
Similarity Comparison with SDHASH (fuzzy hashing)
Being a fan of ssdeep for fuzzy hashing, I was interested in this article comparing ssdeep to sdhash.As the article says, ssdeep basically bre...
Intelligence
[How to] GPG and Signing Data
GNU Privacy Guard (GPG) uses public and private keys to secure communications (public-key cryptography). Many people use it to encrypt their email or other d...
Cybersecurity and Challenges to Democracy
South Korea’s democracy can only be described as… developing. In the late 1970s, after the assassination of Military Dictator Park Chung-hee (who Koreans oft...
Social Media and Intelligence Gathering
As seen on DigitalFIREOnline social media has changed the way many people, businesses and even governments interact with each other. Because of Twitter’s pop...
Webinar
[Webinar] EnCase & Python – Extending Your Investigative Capabilities
<pre wrap=”>EnCase & Python – Extending Your Investigative CapabilitiesDate: Wednesday September 9th, 2015 Time: 11:00am PDT / 2:00pm EDT / 7:00pm ...
Webinar: Tackle the Legal Issues of Obtaining Digital Evidence in the Cloud
Webinar: Tackle the Legal Issues of Obtaining Digital Evidence in the Cloud Cost: FreeDate: Wed August 12th, 2015Time: 08:00am UTC / 10:00am CEST / 4:00pm AW...
[Webinar] Malware Triage and Analysis with AccessData
When: Tuesday, May 28, 2013 10:00 AM - 12:00 PM PDTSpeaker: Chris Sanft Registration FormAttend this session to learn about the industry’s first automated ma...
Thanks!
PRNewsWire Quotes CybercrimeTech
PRNewsWire, when writing about Passware’s new LUKS GPU-assisted brute force cracker, referenced our work on LUKS password cracking with John the Ripper.<d...
Convert EnCase hash sets to md5sum
I managed to get a hold of a list of known-bad hashes to use in an experiment. The hashes, however, were in EnCase “.hash” format.<div></div><...
CybercrimeTech Interviewed!: Baby Got Bactria
Since the single went up in the middle of travelling for conferences and Police training, I didn’t get a chance to thank the very interesting history blog Ba...
JDFSL
[CFP] Journal of Digital Forensics Security and Law
The Journal of Digital Forensics, Security and Law published its first issue in the 1st quarter of 2006 and is now calling for papers in, or related to, t...
[CFP] JDFSL Special issue on Cyberharassment Investigation: Advances and Trends
JDFSL Special issue on Cyberharassment Investigation: Advances and Trends. Anecdotal evidence indicates that cyber harassment is becoming more prevalent as ...
Journal of Digital Forensics, Security and Law now Open Access
The Journal of Digital Forensics, Security and Law (JDFSL) is now an Open Access Journal. They also have a new website that uses the Open Journal System for ...
Cybersecurity
[CFP] Security of Individual, State and Society: Challenges and Perspectives
Perm State UniversityFaculty of LawThe University of LouisvilleDepartments of Criminal Justice Computer Engineering and Computer Science and The Brandeis Sch...
A Proposal for Cyber Peacekeeping (CPK)
After a year of collaborative effort we submitted a paper about Cyber Peacekeeping (CPK) to ICDF2C 2015 (http://d-forensics.org/) and have just learned about...
Cybersecurity Tips for Business Travelers
I recently received an email from someone claiming to be from CNN, wanting to do a segment on cyber security for business travelers. They asked for some bul...
GPG
[How to] GPG and Signing Data
GNU Privacy Guard (GPG) uses public and private keys to secure communications (public-key cryptography). Many people use it to encrypt their email or other d...
[How-To] Using GnuPG to verify data using detached signatures
Many software downloads come with a signature file. You normally need to download this signature file separately. Signatures are a great way to let people ...
GPG Key Signing Party in Seoul 2015/06/24
Seoul Tech Society is having an introduction to Public Key Infrastructure (PKI) Wednesday, June 24th at D.CAMP in Seoul. We will give an introduction to PKI...
Conferences 2016
[CFP] ICDF2C Submission date extended!
ICDF2C 2016 in New York has extended its call for papers until April 25th! Call for papers for the 8th International Conference on Digital Forensics and Cyb...
DFRWS EU Early Registration open till end of February
The DFRWS EU 2016 conference will be hosted by the University of Lausanne, Switzerland, at the end of March 2016. Ever since the first open workshop in 2001...
[CFP] DFRWS EU 2016
The DFRWS EU 2016 conference will be held in Lausanne, Switzerland from March 30th to April 1st, 2016.<div class="separator" style="clear: both; text-alig...
python
Convert UFDR to DIR
In a prior post we tested parsing a Cellebrite Reader UFDR file directly with ALEAPP. Although ALEAPP could process the file if we renamed it with a .zip ext...
Learn Python Programming
Programming is a useful skill for digital investigators. Not only does programming let you automate your investigation process, but it also helps build a bet...
[Webinar] EnCase & Python – Extending Your Investigative Capabilities
<pre wrap=”>EnCase & Python – Extending Your Investigative CapabilitiesDate: Wednesday September 9th, 2015 Time: 11:00am PDT / 2:00pm EDT / 7:00pm ...
digital forensics
Amazon AWS EC2 Forensic Memory Acquisition - LiME
EC2 Forensics can use many of the same tools and techniques as computer forensics. Usually, just with the addition of networking concepts. In this video, we ...
Research 101: How to do research in digital forensics
Digital forensic science includes many areas of study. Gaining a background in every relevant area is difficult, if not impossible. However, all knowledge in...
How To - Introduction to Autopsy for Digital Forensics
Autopsy is a free, open source digital forensic tool that supports a wide range of add-on modules. Available APIs allow an investigator to easily create thei...
research
Creating a telegram bot to assist with research automation
Over the past few years, the LIFS@Hallym Research Group grew big, really fast. We have tried several tools and workflows to try to stay organized as a group,...
Research 101: How to do research in digital forensics
Digital forensic science includes many areas of study. Gaining a background in every relevant area is difficult, if not impossible. However, all knowledge in...
Cybersecurity Revolution Conference 2018: Lessons learned
Last Friday was the Cybersecurity Revolution conference. The idea for the conference came from my friend at Serene-Risc. The concept was something similar to...
investigation
Bitcoin forensics - visualizing blockchain transactions with Maltego
Cryptocurrency investigations - like Bitcoin forensics - usually involve blockchain transaction analysis. You can use blockchain.com Explorer to look up Bitc...
Bitcoin Investigation and Wallet Seizure
Bitcoin investigation - and cryptocurrency investigations in general - benefit from access to a transparent ledger system - or blockchain - that investigator...
General overview of investigation process
Many people that begin learning digital investigation, especially formally, seem to learn technical issues before the criminal investigation procedure. The p...
mobile
Fast iPhone forensic analysis with iLEAPP
iPhone forensic analysis can be complicated, but sometimes you need to quickly access some of the most common information. iOS Logs, Events, And Plists Parse...
Is this the fastest way to analyze Android?
Android forensics can take a long time to process. But if you just need a quick overview of the most common artifacts, check out the Android Logs Events And ...
WIN $100 and PRIZES - November DFIR Dev
Welcome everyone to the November DFIR Dev competition!
cryptocurrency
Bitcoin forensics - visualizing blockchain transactions with Maltego
Cryptocurrency investigations - like Bitcoin forensics - usually involve blockchain transaction analysis. You can use blockchain.com Explorer to look up Bitc...
Bitcoin Investigation and Wallet Seizure
Bitcoin investigation - and cryptocurrency investigations in general - benefit from access to a transparent ledger system - or blockchain - that investigator...
Cryptocurrency Investigation - Blockchain Basics
Cryptocurrency investigation is much like other forms of financial crime investigation. Find transactions, find accounts and tie accounts to a real person. C...
Goldfish
Goldfish
Project: Goldfish<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue...
FireWire DMA Attacks for Memory Acquisition
Firewire exploits that can be used to dump, or even alter a target machine’s RAM.http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part...
Cybercrime Technologies
About Cybercrime Technologies
Welcome to Cybercrime Technologies. This blog is devoted to research and development in the area of Cybercrime and Digital Forensic Investigations. It will b...
Cybercrime Technologies Philosophy
Cybercrime Technologies was founded on the principal that the level of competent, quality digital investigations should not be based on the budget of the pra...
Categorization
[Hash sets] Korea University DFRC Reference Data Set
If you work in the area of digital investigation, you probably know about NIST’s National Software Reference Library (NSRL). <blockquote>The National S...
Digital Crime Categorization using the AFP CCPM
When attempting to gather statistics about digital crime and investigations in different countries, and sometimes on a national level, the inconsistency in c...
Malware
Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 2
A while back we looked at Challenge 1 in the Four Grand Challenges in Trustworthy Computing from 2003. In my opinion, we have fallen quite short on Challenge...
Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 1
Almost a decade ago, the Computing Research Association published Four Grand Challenges in Trustworthy Computing. Working in a rapidly-evolving digital field...
Live Data Forensics
[BoB] Anti Forensics Techniques and eForensics Mag
<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></div>As a mentor with KITRI’s “Best of the Best v2.0” information...
Forensic Acquisition of a Virtual Machine with Access to the Host
Someone recently asked about an easy way to create a RAW image of virtual machine (VM) disks, so here is a quick how-to.<div class="separator" style="clea...
Cloud Computing
InfoSecurity Russia 2012
Last week, Pavel and I gave an invited talk at InfoSecurity Russia 2012. From Digital FIRE:<blockquote class="tr_bq">Our talk explored the issues of di...
Digital Forensic Investigation and Cloud Computing
We have a chapter in an upcoming book, Cybercrime and Cloud Forensics: Applications for Investigation ProcessesOur chapter aims to be a high-level introducti...
International Communication
Cybersecurity and Challenges to Democracy
South Korea’s democracy can only be described as… developing. In the late 1970s, after the assassination of Military Dictator Park Chung-hee (who Koreans oft...
Future Crimes Ted Talk
[Update] See Bruce Schneier’s responseOur friends at FutureCrimes.com recently had a good Ted talk about technology, crime and a potential way to fight crime...
Storage
Creating and Configuring a Large Redundant Storage Array for a Network Share in Ubuntu using MDADM
We had a hardware RAID card that worked well in Windows, but was giving some issues in Linux (Ubuntu 12.04). So, we decided to try to setup a software array ...
ZFS and NFS for Forensic Storage Servers
We’ve been looking at different storage solutions to act as storage servers for forensic images, and some extracted data. Essentially we have a server with e...
Digital Forensic and Forensic Sciences
Journal of Digital Forensics, Security and Law now Open Access
The Journal of Digital Forensics, Security and Law (JDFSL) is now an Open Access Journal. They also have a new website that uses the Open Journal System for ...
[CFP] 6th International Conference on Digital Forensics & Cyber Crime
September 18-20, 2014 - New Haven, CT, USA | Call for papersIMPORTANT DATESPaper Submission: 16 May, 2014Notification of Acceptance: 30 July, 2014Camera-read...
Standards
Koreas first step to globalization through ODT
ZDNet Korea reports that the South Korean government is making a first-step to shift from the proprietary Hangul Word Processor (HWP) file format (.hwp) to t...
U.K. Adopts Open Document Formats to Improve Communication
According to UK.gov, the UK Government is adopting open formats for all of its government documents. The formats are PDF/A and HTML from viewing government d...
Human Exploitation
Child Exploitation Forensic Tool: NuDetective
I met some Brazilian Law Enforcement at the 2014 World Forensic Festival. They were talking about Child Online Exploitation in Brazil, and a tool they develo...
Online Child Exploitation Awareness Project
With the KITRI Best of the Best Information security program, we have been developing tools for Law Enforcement to use in the automatic detection of Child E...
Cybercrime
[CFP] Security of Individual, State and Society: Challenges and Perspectives
Perm State UniversityFaculty of LawThe University of LouisvilleDepartments of Criminal Justice Computer Engineering and Computer Science and The Brandeis Sch...
Cybersecurity Tips for Business Travelers
I recently received an email from someone claiming to be from CNN, wanting to do a segment on cyber security for business travelers. They asked for some bul...
Meetup
Seoul Tech Society Crypto Event
On June 24th, Seoul Tech Society held an ‘introduction to cryptography’ event. First, Artem Lenskiy gave an overview of how symmetric and asymmetric encrypti...
GPG Key Signing Party in Seoul 2015/06/24
Seoul Tech Society is having an introduction to Public Key Infrastructure (PKI) Wednesday, June 24th at D.CAMP in Seoul. We will give an introduction to PKI...
SeoulTechSoc
ICDF2C 2015 in Seoul, South Korea Final Program Now Available
The 7th EAI International Conference on Digital Forensics & Cyber Crime will be held OCTOBER 6–8, 2015 in SEOUL, SOUTH KOREA.The final program is now ava...
Seoul Tech Society Crypto Event
On June 24th, Seoul Tech Society held an ‘introduction to cryptography’ event. First, Artem Lenskiy gave an overview of how symmetric and asymmetric encrypti...
cyberlaw
Paid Graduate Positions Available: Digital Investigations in Internet of Things
The Legal Informatics and Forensic Science (LIFS) Institute in the College of International Studies at Hallym University, South Korea, currently has openings...
사물인터넷(IoT) 디지털 수사 관련 전액장학금 지원 석/박사 직위 공모
한림대학교 국제학부의 정보법과학전공에서는 현재 석사, 박사, 그리고 박사후과정생을 대상으로 정규직 연구원을 모집하고 있습니다. 해당 직위는 사물인터넷(IoT) 디지털 포렌식 수사에 관련된 연구를 담당하므로, 다음과 같은 자격을 요합니다. <ul><li>프로그래...
Data Recovery
[How To] Forensic Data Recovery in Linux - tsk_recover
This week we will talk about The Sleuth Kit, and specifically the tool tsk_recover. tsk_recover is a useful tool for allocated and unallocated file recovery....
[How To] Forensic Data Recovery in Windows - Photorec
This week we will show how to use Photorec to recover data form a suspect disk image. Photorec supports the recovery of many different file types, but we wil...
ransomware
Ransomware and How to Protect Yourself
Originally Published in Korean at NewsTapa.org
No More Ransom - Detecting and unlocking ransomware without paying
Data is valuable. Ransomware takes advantage of the financial or sentimental value of our data, as well as the fact that most homes and organizations do not ...
Digital Investigation
What I’m Reading - Robust bootstrapping memory analysis against anti forensics
Today we are talking about ‘Robust bootstrapping memory analysis against anti-forensics’ by Lee Kyoungho, Hwang Hyunuk, Kim Kibom and Noh BongNam. This paper...
What I’m Reading - A functional reference model of passive systems for tracing network traffic
What I’m Reading: Today we are talking about ‘A functional reference model of passive systems for tracing network traffic’ by Thomas E. Daniels. This paper d...
Autopsy
Using Autopsy 4 to export file metadata
Autopsy 4 is a very powerful digital forensic investigation tool. Today, we are going to extract file and meta-data from a disk image (mobile phone) to use i...
How To - Introduction to Autopsy for Digital Forensics
Autopsy is a free, open source digital forensic tool that supports a wide range of add-on modules. Available APIs allow an investigator to easily create thei...
OCR
[How to] Using Tesseract-OCR to extract text from images
I recently found a tutorial on tesseract-ocr. I used tesseract a few years ago without much luck, but this time it was extremely easy.
public awareness
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
Ransomware and How to Protect Yourself
Originally Published in Korean at NewsTapa.org
National Security
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
When National Security Turns Against You
Opinion originally published by Korea Times
cybersecurity
UNODA and Cybersecurity Tech Accord Apps 4 Digital Peace Contest
21st century challenges need 21st century solutions, especially when it comes to creating a safer and a more secure online world. The global ICT environment ...
Korean National Security Includes Cybersecurity
Opinion originally posted by Korea Times as Letters to President Moon
incident response
Amazon AWS EC2 Forensic Memory Acquisition - LiME
EC2 Forensics can use many of the same tools and techniques as computer forensics. Usually, just with the addition of networking concepts. In this video, we ...
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
conferences 2018
Cybersecurity Revolution Conference 2018: Lessons learned
Last Friday was the Cybersecurity Revolution conference. The idea for the conference came from my friend at Serene-Risc. The concept was something similar to...
Linking Organized Crime and Cybercrime
The Linking Organized Crime and Cybercrime conference starts in 3 days! (June 7th and 8th)
analysis
Get top tweeting usernames based on hashtag
I was thinking about the Magnet Weekly Forensics CTF Challenge. There are a few ways to get points: answering the CTF question, trivia, and posting on social...
autopsy
Data Artifacts, Analysis Results, and Reporting in Autopsy
This is a mini-course on Autopsy. See chapter times below. You might want to watch Part 1 first - Starting a new case in Autopsy: https://youtu.be/fEqx0MeCCHg
Notes on Installing an Autopsy Multi-user Cluster
Note: This is just initial notes to get an autopsy multi-user cluster working. In my setup Autopsy is installed on Linux, and the servers are Linux-based. So...
Q&A
Hex editors and data structures
A student sent a question about hex editors. Hex editors are often used in forensics to view and analyze data. Viewing data in hexadecimal (hex) instead of r...
Detecting manual clock modifications
I received a question from an aspiring forensic investigator taking the Intro to Digital Forensics course.
ctf
Linux Forensics on Linux - Cyber5W CTF Walkthrough
Cyber5W released a Mini Linux DFIR CTF based on the Magnet Summit 2022 live CTF. It is doable if you are new to Linux investigations. A few questions are on ...
Magnet CTF Week 1 - Timestamps of doom
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
community
DFIR Community Hardware Fund
A few days ago, Alexis Brignoni posted a tweet about the increased usage of the Meta Quest 2 hardware. It’s one of many devices that digital investigators wi...
Use GitHub to get started in the DFIR community
Wondering where to start in the digital forensics (DFIR) community? Many projects and resources are hosted on GitHub, which allows you to easily participate....
competition
November DFIRDev Winners!
It’s a great pleasure to announce the November #DFIRDev competition winners!
WIN $100 and PRIZES - November DFIR Dev
Welcome everyone to the November DFIR Dev competition!
blockchain
Bitcoin Investigation and Wallet Seizure
Bitcoin investigation - and cryptocurrency investigations in general - benefit from access to a transparent ledger system - or blockchain - that investigator...
Cryptocurrency Investigation - Blockchain Basics
Cryptocurrency investigation is much like other forms of financial crime investigation. Find transactions, find accounts and tie accounts to a real person. C...
supply chain
Software supply chain and vulnerability assessment with syft and grype
Software supply chain vulnerabilities have resulted in large-scale attacks in recent years. Understanding the supply chain in an organization is difficult si...
Log4j vulnerability, supply chain attacks and SBOMs
The logging software Log4j was recently found to have an injection vulnerability that allowed remote code execution (RCE) among other vectors of attack. The ...
live data forensics
What data can you find in RAM?
To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.
What is Random Access Memory?
Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a compute...
RAM forensics
What data can you find in RAM?
To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.
What is Random Access Memory?
Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a compute...
livestream
Forensic 4:Cast Awards - The real award is DFriends we made along the way
Come hang out with the nominees for the Forensic 4:Cast “Best DFIR Show of the Year”: 13Cubed, I Beg to DFIR, and DFIR Science!
Digital Forensics and the Military - Interview with Andrew Lister
We often talk about digital forensics in criminal and civil investigations, but a lot of innovation happens in military acquisition and investigations. Join ...
ileapp
iLEAPP and RLEAPP updates and dev thoughts
Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...
Modular artifact scripts coming to iLEAPP
kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...
privacy policy
DFIR.Science Privacy Policy
Privacy is very important to us, and while some information is collected so we can attempt to improve you experience, we want to you know your privacy option...
OS X
Goldfish
Project: Goldfish<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue...
ANT
Automated Network Triage (ANT) / Profiler
Project: Automated Network Triage (ANT) / Profiler<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', Hel...
I18N/L10N
Project ATOM
Project: ATOM<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', H...
ATOM
Project ATOM
Project: ATOM<div class="p1" style="background-color: white; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', H...
Policing
Predictive Policing and Online Crime
FutureCrimes.com just passed on the single Sci-fi policing: predicting crime before it occurs. Crime modeling used by the LAPD appears to have contributed t...
Critical Systems
Revisiting the Four Grand Challenges in Trustworthy Computing: Challenge 2
A while back we looked at Challenge 1 in the Four Grand Challenges in Trustworthy Computing from 2003. In my opinion, we have fallen quite short on Challenge...
Formal Methods
Automata Intersection to Test Possibility of Statements in Investigations
As seen on DigitalFIRE.When conducting an investigation, many statements are given by witnesses and suspects. A “witness” could be considered as anything th...
Perceptual hashing
[How to] Install pHash on Ubuntu
pHash is an open source software library released under the GPLv3 license that implements several perceptual hashing algorithms, and provides a C-like API to...
Computer Vision
Comparing Similarity of Images using SIFT Features
I’ve been playing around with VLFeat, and specifically SIFT to compare images using sift feature extraction. A while back I was looking at comparing files an...
Mutual Legal Assistance
Help us understand Mutual Legal Assistance and win a FIREBrick Write Blocker
Please help DigitalFIRE Labs understand the current state of Mutual Legal Assistance Requests relating to digital evidence, and be entered for a chance to wi...
BigData
[CFP] 6th International Conference on Digital Forensics & Cyber Crime
September 18-20, 2014 - New Haven, CT, USA | Call for papersIMPORTANT DATESPaper Submission: 16 May, 2014Notification of Acceptance: 30 July, 2014Camera-read...
Forensic Challenge 2014
[CFP] DFRWS 2014 Forensic Challenge: Mobile Malware Analysis
See the challenge page for more information: Submission deadline: May 30, 2014 Mobile Malware Analysis The overall goal of this challenge is to raise the sta...
News
World Forensic Festival, Digital Forensic Masters and the Korea Linux Forum
A pretty busy day preparing for the World Forensic Festival next week. If you are going, please be sure to catch me on Thursday and Friday for the Digital F...
Authentication
FIDO Alliance Password-less Authentication Spec.
[Edited 2015-02-02]Last month, the FIDO Alliance released specifications that attempt to remove passwords from authentication. A few years ago, Google was al...
javascript
Modifying Javascript Variables Real Time with Chrome aka AdBlock Detection Subversion
Sometimes you may want to see what scripts a website is trying to run on your system. Other times you may want to be able to not only watch, but also modify ...
Cyber Warfare
A Proposal for Cyber Peacekeeping (CPK)
After a year of collaborative effort we submitted a paper about Cyber Peacekeeping (CPK) to ICDF2C 2015 (http://d-forensics.org/) and have just learned about...
Cyber Conflict
A Proposal for Cyber Peacekeeping (CPK)
After a year of collaborative effort we submitted a paper about Cyber Peacekeeping (CPK) to ICDF2C 2015 (http://d-forensics.org/) and have just learned about...
Cyber Safety
A Proposal for Cyber Peacekeeping (CPK)
After a year of collaborative effort we submitted a paper about Cyber Peacekeeping (CPK) to ICDF2C 2015 (http://d-forensics.org/) and have just learned about...
PKI
GPG Key Signing Party in Seoul 2015/06/24
Seoul Tech Society is having an introduction to Public Key Infrastructure (PKI) Wednesday, June 24th at D.CAMP in Seoul. We will give an introduction to PKI...
Cryptography
Seoul Tech Society Crypto Event
On June 24th, Seoul Tech Society held an ‘introduction to cryptography’ event. First, Artem Lenskiy gave an overview of how symmetric and asymmetric encrypti...
Investigation
Finding private IP addresses in Email Headers
In some cases it may be necessary or helpful to find the private IP of a suspect. This can be difficult, especially since NAT is common in most networks. How...
Conference 2016
[CFP] Call for Papers ICDF2C 2016
8th International Conference on Digital Forensics and Cyber Crime<div class="separator" style="clear: both; text-align: center;"></div>Location: ...
LIFS
Postdoctoral Positions Available at Hallym University, South Korea
Hello everyone! We have an opportunity for singledoctoral research positions. Positions with the Legal Informatics and Forensic Science Institute at Hallym U...
honeypot
Honeypot Fun
At the Legal Informatics and Forensic Science Institute, we are preparing to do some research on IoT smart homes. Part of that is setting up a slightly-less-...
Network Forensics
What I’m Reading - A functional reference model of passive systems for tracing network traffic
What I’m Reading: Today we are talking about ‘A functional reference model of passive systems for tracing network traffic’ by Thomas E. Daniels. This paper d...
dfi
[How to] Beginner Introduction to The Sleuth Kit (command line)
Today we will give a beginner-level introduction to The Sleuth Kit from command line. If this video is helpful, I highly recommend reading The Law Enforcemen...
jekyll
Switching to Jekyll
I’ve been on Blogger since 2008. It is very easy to use. Since 2008, nothing has really changed about it, save for an exciting -slight- editor UI change a fe...
blogging
Switching to Jekyll
I’ve been on Blogger since 2008. It is very easy to use. Since 2008, nothing has really changed about it, save for an exciting -slight- editor UI change a fe...
Autopsy 4
How To - Introduction to Autopsy for Digital Forensics
Autopsy is a free, open source digital forensic tool that supports a wide range of add-on modules. Available APIs allow an investigator to easily create thei...
The Sleuth Kit
How To - Introduction to Autopsy for Digital Forensics
Autopsy is a free, open source digital forensic tool that supports a wide range of add-on modules. Available APIs allow an investigator to easily create thei...
How to
How To - Introduction to Autopsy for Digital Forensics
Autopsy is a free, open source digital forensic tool that supports a wide range of add-on modules. Available APIs allow an investigator to easily create thei...
Conferences
[CFP] WSDF 2017 - extended deadline
Submission Deadline Extended to May 1st, 2017
Conferences 2017
[CFP] WSDF 2017 - extended deadline
Submission Deadline Extended to May 1st, 2017
Optical character recognition
[How to] Using Tesseract-OCR to extract text from images
I recently found a tutorial on tesseract-ocr. I used tesseract a few years ago without much luck, but this time it was extremely easy.
howto
Imaging Android with ADB, Root, Netcat and DD
Today we are going to acquire an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd. The system I am using is Ubuntu linux....
mobile acquisition
Imaging Android with ADB, Root, Netcat and DD
Today we are going to acquire an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd. The system I am using is Ubuntu linux....
Metadata
Using Autopsy 4 to export file metadata
Autopsy 4 is a very powerful digital forensic investigation tool. Today, we are going to extract file and meta-data from a disk image (mobile phone) to use i...
Bodyfile
Using Autopsy 4 to export file metadata
Autopsy 4 is a very powerful digital forensic investigation tool. Today, we are going to extract file and meta-data from a disk image (mobile phone) to use i...
timeline
Using Autopsy 4 to export file metadata
Autopsy 4 is a very powerful digital forensic investigation tool. Today, we are going to extract file and meta-data from a disk image (mobile phone) to use i...
editorial
Ransomware and How to Protect Yourself
Originally Published in Korean at NewsTapa.org
Public security
When National Security Turns Against You
Opinion originally published by Korea Times
Awareness
When National Security Turns Against You
Opinion originally published by Korea Times
WannaCry
When National Security Turns Against You
Opinion originally published by Korea Times
Ransomware
When National Security Turns Against You
Opinion originally published by Korea Times
Opinion
Korean National Security Includes Cybersecurity
Opinion originally posted by Korea Times as Letters to President Moon
National security
Korean National Security Includes Cybersecurity
Opinion originally posted by Korea Times as Letters to President Moon
South Korea
Korean National Security Includes Cybersecurity
Opinion originally posted by Korea Times as Letters to President Moon
Planning
Korean National Security Includes Cybersecurity
Opinion originally posted by Korea Times as Letters to President Moon
Volatility
[How To] Volatility Memory Analysis Building Linux Kernel Profiles
Memory foreniscs in Linux is not very easy. The reason is because the Linux kernel changes data structures and debug symbols often. Users can also easily mod...
How To
[How To] Volatility Memory Analysis Building Linux Kernel Profiles
Memory foreniscs in Linux is not very easy. The reason is because the Linux kernel changes data structures and debug symbols often. Users can also easily mod...
Memory analysis
[How To] Volatility Memory Analysis Building Linux Kernel Profiles
Memory foreniscs in Linux is not very easy. The reason is because the Linux kernel changes data structures and debug symbols often. Users can also easily mod...
LiME
[How To] Volatility Memory Analysis Building Linux Kernel Profiles
Memory foreniscs in Linux is not very easy. The reason is because the Linux kernel changes data structures and debug symbols often. Users can also easily mod...
emergency messaging
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
emergency response
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
SMS spam
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
SMS alerts
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
Don't do this
Horrible messaging is bad for national security
For over a year, anyone with a mobile phone in Korea has had to put up with spam text messages from Korea’s Ministry of Public Safety and Security (국민안전처). I...
ssdeep
[How To] Fuzzy Hashing with SSDEEP (similarity matching)
SSDEEP is a fuzzy hashing tool written by Jesse Kornblum. There is quite a bit of work about similarity hashing and comparisons with other methods. The mains...
fuzzy hashing
[How To] Fuzzy Hashing with SSDEEP (similarity matching)
SSDEEP is a fuzzy hashing tool written by Jesse Kornblum. There is quite a bit of work about similarity hashing and comparisons with other methods. The mains...
File formats
Koreas first step to globalization through ODT
ZDNet Korea reports that the South Korean government is making a first-step to shift from the proprietary Hangul Word Processor (HWP) file format (.hwp) to t...
hacking
A comment on Applebys reaction to the Paradise Papers
Today the International Consortium of Investigative Journalists (ICIJ) released “The Paradise Papers.” These look to be a massive collection of documents re...
commentary
A comment on Applebys reaction to the Paradise Papers
Today the International Consortium of Investigative Journalists (ICIJ) released “The Paradise Papers.” These look to be a massive collection of documents re...
Disk Acquisition
EWF Tools: working with Expert Witness Files in Linux
Expert Witness Format (EWF) files, often saved with an E01 extension, are very common in digital investigations. Many forensic tools support E01 files, but m...
Windows
Back to top ↑Sleuthkit
Back to top ↑disk imaging
Testing File Systems for Digital Forensic Imaging
Introduction - the problem Recently I’ve been doing a lot of large disk forensic imaging. I usually use Linux-based systems for forensic imaging. A normal ca...
file system
Testing File Systems for Digital Forensic Imaging
Introduction - the problem Recently I’ve been doing a lot of large disk forensic imaging. I usually use Linux-based systems for forensic imaging. A normal ca...
optimization
Testing File Systems for Digital Forensic Imaging
Introduction - the problem Recently I’ve been doing a lot of large disk forensic imaging. I usually use Linux-based systems for forensic imaging. A normal ca...
zeltser
Testing File Systems for Digital Forensic Imaging
Introduction - the problem Recently I’ve been doing a lot of large disk forensic imaging. I usually use Linux-based systems for forensic imaging. A normal ca...
knowledge
DFIR already has Rapid Peer Review - we can do better
Introduction Over the last few weeks Brett Shavers has been discussing how to publish DFIR research in a better way. I’ve been thinking about this from the a...
how to
Research 101: How to do research in digital forensics
Digital forensic science includes many areas of study. Gaining a background in every relevant area is difficult, if not impossible. However, all knowledge in...
online course
Research 101: How to do research in digital forensics
Digital forensic science includes many areas of study. Gaining a background in every relevant area is difficult, if not impossible. However, all knowledge in...
digital forensic science
Research 101: How to do research in digital forensics
Digital forensic science includes many areas of study. Gaining a background in every relevant area is difficult, if not impossible. However, all knowledge in...
automation
Creating a telegram bot to assist with research automation
Over the past few years, the LIFS@Hallym Research Group grew big, really fast. We have tried several tools and workflows to try to stay organized as a group,...
telegram
Creating a telegram bot to assist with research automation
Over the past few years, the LIFS@Hallym Research Group grew big, really fast. We have tried several tools and workflows to try to stay organized as a group,...
bot
Creating a telegram bot to assist with research automation
Over the past few years, the LIFS@Hallym Research Group grew big, really fast. We have tried several tools and workflows to try to stay organized as a group,...
contest
UNODA and Cybersecurity Tech Accord Apps 4 Digital Peace Contest
21st century challenges need 21st century solutions, especially when it comes to creating a safer and a more secure online world. The global ICT environment ...
text analysis
Back to top ↑image analysis
Back to top ↑gImageReader
Back to top ↑tesseract ocr
Back to top ↑imagemagick
Back to top ↑tsurugi
Tsurugi Linux for Digital Forensics - Download and verify
Tsurugi Linux is a DFIR Linux distribution by Backtrack and Deft Linux veterans. I loved DEFT, and was excited to see what the Tsurugi team had planned. This...
attribution
Attribution in investigations and false flag operations
Jake Williams gave a talk about false flag operations at Black Hat Europe 2019. I’ve talked before about organizations being either lazy or political with cy...
false flag
Attribution in investigations and false flag operations
Jake Williams gave a talk about false flag operations at Black Hat Europe 2019. I’ve talked before about organizations being either lazy or political with cy...
review
Slimbook Pro X Review
This post is a review of the Slimbook Pro X. I’ve been using the Slimbook for about a month. There isn’t much info available in English, so I thought I would...
UNODC
CFP UNODC E4J Conference Access to Justice to End Violence
Call for Papers for the UNODC E4J international academic conference on Access to Justice to End Violence.
security
Using your computer to fight COVID-19
You’re stuck at home, maybe going a little crazy (here are some tips to help with that). Maybe you are starting to feel frustrated. I know I am.
computing
Using your computer to fight COVID-19
You’re stuck at home, maybe going a little crazy (here are some tips to help with that). Maybe you are starting to feel frustrated. I know I am.
boinc
Using your computer to fight COVID-19
You’re stuck at home, maybe going a little crazy (here are some tips to help with that). Maybe you are starting to feel frustrated. I know I am.
hex
Hex editors and data structures
A student sent a question about hex editors. Hex editors are often used in forensics to view and analyze data. Viewing data in hexadecimal (hex) instead of r...
timestamps
Magnet CTF Week 1 - Timestamps of doom
Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!
Get top tweeting usernames based on hashtag
I was thinking about the Magnet Weekly Forensics CTF Challenge. There are a few ways to get points: answering the CTF question, trivia, and posting on social...
OSINT
Get top tweeting usernames based on hashtag
I was thinking about the Magnet Weekly Forensics CTF Challenge. There are a few ways to get points: answering the CTF question, trivia, and posting on social...
privacy
Is Protonmail Broken?
Security-focused email provider ProtonMail was found to provide the IP address of a French activist to Swiss authorities. This is despite the fact that Proto...
career
What job opportunities does digital forensics give me?
A question from a postgrad student about what they can do with a degree in digital forensics. What’s possible? Where to start?
news
7 Million Records Lost in Robinhood Security Breach
Robinhood - a stock trading application - recently revealed a data breach that resulted in the loss of approximately 7 million user records. Most of these we...
iphone
Fast iPhone forensic analysis with iLEAPP
iPhone forensic analysis can be complicated, but sometimes you need to quickly access some of the most common information. iOS Logs, Events, And Plists Parse...
dev
Fast Software Prototyping in Python - iLEAPP module example
When adding code to a large project, like the iPhone forensic triage software iLEAPP, re-running the software over and over again to test your module can bec...
iOS
iPhone forensics with Linux command line and bplister
iPhone (iOS) forensics is somewhat complicated by difficult data structures in the device. However, it is possible to do a quick iPhone investigation with ba...
DFIRDev
November DFIRDev Winners!
It’s a great pleasure to announce the November #DFIRDev competition winners!
forensics
Cryptocurrency Investigation - Blockchain Basics
Cryptocurrency investigation is much like other forms of financial crime investigation. Find transactions, find accounts and tie accounts to a real person. C...
bitcoin
Bitcoin forensics - visualizing blockchain transactions with Maltego
Cryptocurrency investigations - like Bitcoin forensics - usually involve blockchain transaction analysis. You can use blockchain.com Explorer to look up Bitc...
Registry
Intro to Windows Registry Artifact Analysis - TryHackMe Walkthrough
TryHackMe recently released a room dedicated to Windows Forensics! We do a walkthrough of the TryHackMe WindowsForensics1 room and learn all about the Window...
reaction
Digital Forensic Scientist Reacts: Criminal Minds S01E01 - Extreme Aggressor
Writing a drama is difficult. Getting the digital forensic procedure right is more complicated. A digital forensic scientist reacts to Criminal Minds Season ...
ALEAPP
How to extract files from Cellebrite Reader UFDR for ALEAPP or iLEAPP
Sometimes you are presented with odd file types from forensic tools. These odd file types are often related to forensic disk images or other containers.
cellebrite
Convert UFDR to DIR
In a prior post we tested parsing a Cellebrite Reader UFDR file directly with ALEAPP. Although ALEAPP could process the file if we renamed it with a .zip ext...
RAM
Introduction to Memory Forensics with Volatility 3
Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems...
volatility
Introduction to Memory Forensics with Volatility 3
Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems...
dfirscience
A new look for DFIR Science
Back in 2008, DFIR Science started as a research blog. It was mostly technical documentation to set up things like OCFA and Debian Live. It was always about ...
conferences
Getting started in DFIR: Conferences and Workshops
Ever wonder how to be accepted to a conference? Today we talk about different types of tech conferences, and how to get started both attending and giving pre...
oculus
Oculus Quest 2 First Impressions and Research Notes
Recently the DFIR Community Hardware Fund purchased a Meta Oculus Quest 2 VR headset. Unboxing and device images can be found here. I finally had time to set...
vr
Oculus Quest 2 First Impressions and Research Notes
Recently the DFIR Community Hardware Fund purchased a Meta Oculus Quest 2 VR headset. Unboxing and device images can be found here. I finally had time to set...
jobs
Chainalysis Crypto Capstone
Are you a college-level junior or senior studying Engineering, Computer Science, Cyber Security, Information Technology or related field? Do you want to lear...
hardware
Tableau External Write Blocker Setup and Forensic Imaging Walkthrough
Forensic write blockers prevent the forensic workstation from modifying the source disk. Physical write blockers physically prevent write commands from being...
walkthrough
Linux Forensics on Linux - Cyber5W CTF Walkthrough
Cyber5W released a Mini Linux DFIR CTF based on the Magnet Summit 2022 live CTF. It is doable if you are new to Linux investigations. A few questions are on ...
Arsenal Recon
Linux LVM Ext4 Support in Windows with Arsenal Image Mounter
Previously we showed how to access a Linux Logical Volume Manager partition inside a forensic disk image. We were looking for a way to access the LVM partiti...
hashcat
Fast password cracking - Hashcat wordlists from RAM
Password cracking often takes a long time. Brute force is normally your last option. But before that, a wordlist usually helps guess the password faster.
password cracking
Fast password cracking - Hashcat wordlists from RAM
Password cracking often takes a long time. Brute force is normally your last option. But before that, a wordlist usually helps guess the password faster.
UN
🇺🇳 Africa DFIR CTF 2022 Award Ceremony 🎉
Huge DFIR stream with a lot of Q&A. Check out the chapter times below!
military
Digital Forensics and the Military - Interview with Andrew Lister
We often talk about digital forensics in criminal and civil investigations, but a lot of innovation happens in military acquisition and investigations. Join ...
Detego
Digital Forensics and the Military - Interview with Andrew Lister
We often talk about digital forensics in criminal and civil investigations, but a lot of innovation happens in military acquisition and investigations. Join ...
4Cast
Forensic 4:Cast Awards - The real award is DFriends we made along the way
Come hang out with the nominees for the Forensic 4:Cast “Best DFIR Show of the Year”: 13Cubed, I Beg to DFIR, and DFIR Science!
aleapp
Modular artifact scripts coming to iLEAPP
kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...
development
iLEAPP and RLEAPP updates and dev thoughts
Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...
rleapp
iLEAPP and RLEAPP updates and dev thoughts
Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...
Social Media
Social Media and Intelligence Gathering
As seen on DigitalFIREOnline social media has changed the way many people, businesses and even governments interact with each other. Because of Twitter’s pop...